Another day, another massive computer hack attack

Note: followup to this post at http://tacit.livejournal.com/325770.html

I run quite a number of WordPress blogs: weeklysextips.com, the Whispers blog at symtoys.com, the Skeptical Pervert blog (which I haven’t actually started doing anything yet, as I haven’t started my podcast yet), and so on.

These blogs all run comment spam filtering software, because automated WordPress comment spam is a big problem with any WordPress blog. A lot of the automated comment spam contains, of course, redirectors to malware, mostly disguised as porn links.

I occasionally trawl through the spam comments on my blogs; it’s an amazing early warning system to see what the malware writers are up to these days. Recently, I found a spate of malware spam advertising URLs hosted on a Web site called nashville.net; the spam promised all sorts of free sexual delights if I would but go to such Web addresses as

http://www.nashville.net/profile/3nz5lxzvocvcd
and
http://www.nashville.net/profile/jetttoland59

and so on.

I did some poking around on Nashville.net and discovered that it has been compromised like a Senator with a gambling addiction; at the moment, it’s hosting somewhere around 4,200 phony profiles, all of which are redirectors to sites that try to download malware. Each phony profile leads to the same place: a URL at

http://sexsuite.ru/stds/go.php?sid=14

which is a traffic handling Web site that works the same way that the traffic redirector sites used by malware networks I’ve talked about before do.

So I decided to be a good citizen and drop a line to the owner of nashville.net, and his Web host, letting him know he’d been massively breached.

That’s when things got interesting.


The Web site nashville.net is a “community site,” a small niche social networking site hosted by an outfit called Ning.

Parsing input: nashville.net
Routing details for 8.6.19.68
“whois NET-8-6-19-0-1@whois.arin.net” (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse@ning.com
8.6.19.0 – 8.6.19.255:abuse@ning.com
Using abuse net on abuse@ning.com
abuse net ning.com = postmaster@ning.com, abuse@ning.com, abuse@level3.com

Ning is a personal social networking site founded by the guy who started Netscape, Marc Andreessen. It basically lets you create your own mini MySpace or LiveJournal or whatever you like–a small social networking platform aimed at whatever niche you want. It’s had a checkered past, and has struggled to make money; three days ago, Ning announced that it would become pay only and would cancel its free services. It also fired 40% of its staff.

But that’s not the really interesting part.

The really interesting part is that it looks like all of Ning, with all the social networks and online forums it hosts, has been pwn3d from balls to bones.

A search for some of the exact words and phrases used by the virus redirectors on nashville.net, one of Ning’s social networking sites, produces 1,060,000 results…and as near as I can tell, they are all on Ning.

Now, a conspiracy theorist might come up with all kinds of conspiracies to explain this–disgruntled employees, knowing what was coming, leaving the back door open; executives of a foundering company, desperate for cash, turning a blind eye to Russian malware writers; whatever. I suspect that the reality is what it always is–incompetence, someone asleep at the switch, management that doesn’t appreciate security and doesn’t want to pay for it…the same sorts of things that seem to be behind this sort of thing almost every time.

But if you use Ning, or you know someone who does, my advice is to leave.

10 thoughts on “Another day, another massive computer hack attack

  1. Thanks

    A political group I am a part of recently sent up a Ning page to have somewhere to discuss group business outside of facebook. I’ve passed this along.

  2. Thanks

    A political group I am a part of recently sent up a Ning page to have somewhere to discuss group business outside of facebook. I’ve passed this along.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.