.Gov Site Reinfested Due to Hosting Provider Sloppiness

The Marin County sites were once again serving malware as a result of sloppy Web site hosting.

The Marin County Transportation Authority sites that appeared to be serving up pornography and malware yet again Nov. 29-30 were in fact a sloppy residue from the same Web site hosting company that the California government agency thought it heard the last of once it ceased using the provider in September.

The hosting company in question—StartLogic—or its sister company has, in fact, been at the bottom of multiple hacked government sites, including serving up malware-seeded pages for the domain of Plainville, Kan.—a city that registered a domain but never even put up a site.

Dianne Steinhauser, executive director of the Transportation Authority for Marin County, told eWEEK late in the day on Nov. 30 that TAM ceased hosting its site with its previous provider, StartLogic, as of Sept. 14 due to malware-seeding problems that eventually led to the federal government shoving offline Internet and e-mail service for the entire state of California in early October.

Sunbelt Software President Alex Eckelberry said in a post on the night of Nov. 29 that TAMs domain was yet again serving up links that directed users to pages that pushed Trojans and malware posing as a fake codec. Paul Ferguson, network architect at Trend Micro, told eWEEK that as of Nov. 30 all the garbage was still being served up from subdomains on TAMs site.

The tam.ca.gov site was, in fact, not hacked and was not serving up malware, although it displayed a message saying it was under construction. The site is actually being hosted by a new, independent Web host, ValueWeb, and is in fact still under construction, Steinhauser said.


Click here to read more about why it appeared that the Marin County Transportation Authority Web site was spreading malware again.

However, even though TAM stopped doing business with StartLogic in September, the Web hosting provider still had an open Web page assigned to the transportation agency. TAM didnt find out until Nov. 30 about the open page, through which the public could access Web services through StartLogics servers under tam.ca.gov.

"While there were absolutely no files of ours on that page, [malware] files began to appear there … [on Nov. 29] around 4:45 [Pacific Time]. When we heard about [it] this morning we immediately began to try to work with StartLogic to completely eliminate that Web service, and our understanding is that they are doing that," Steinhauser said.

The most recent attack appears to have come in through StartLogics server, Steinhauser said, as opposed to coming in through a TAM Web file. In other words, the hosting company was attacked and was responsible, not TAM, as researchers had guessed earlier in the day.

Indeed, if the repeated contamination of TAMs site shows anything, its that some Web hosting providers are doing an abysmal job at securing their customers sites or cleaning up after themselves.

"In many cases were seeing guys outsource Web sites and Web hosting to a hosting provider, with the hosting provider not using the best security practices," Eckelberry told eWEEK. Researchers are seeing sites compromised through a medley of mistakes, some of them due to customers and some due to the hosting provider: stolen FTP credentials; unpatched (usually open-source) software, including poorly maintained LAMP stacks; the increasing use of collaborative; "Web 2.0" type software (wikis, tikis, etc.); DNS hacks; poorly written ASP code; sloppy PHP work; and SQL hacks.


Read here about how hackers scam Internet users with bogus anti-spyware offers.

And as of 7 p.m. ET on Nov. 30, Steinhausers exhausted, frustrated tone revealed exactly how small businesses and small government agencies with sparse budgets are banging their heads against the wall when security slips through the cracks. "[StartLogic has], as of this afternoon, assured us that that remaining blank Web page will be eliminated. To be honest, I dont know if theyre doing that today or if everybody [has gone] home. We asked that it be done immediately. We have no business with them, have not had business with them regarding our Web site for over two months. We were as surprised as anyone there was still a Web page at StartLogic with our name and our Web address on it," Steinhauser said.

TAM wound up with StartLogic in the first place because it had few choices. "At the time, we looked for a hosting provider that could manage our content management system, which was unique," Steinhauser said. "[A hosting provider] who had some reasonable protocols and firewalls in place."

A preferred route that would have saved the agency migraines such as those they got from the pornography-seeding attacks would have been to offload the site to a managed service provider. TAM did, in fact, attempt such a setup with Yahoo, among others, but again, the uniqueness of the agencys content management system made that a no-go.

"We were limited," Steinhauser said. "Because of how our site was created in the first place, we were limited to where we could go in the first place. Are we going to change that? Yes. Are we in the process of changing that? Yes."

In fact, on Nov. 30, TAM had a proposal due that outlined an ongoing process of independent security auditing for mail and Web servers. TAM feels secure with its new hosting provider, ValueWeb. And although StartLogic is still hosting a mail server for the agency, TAM hasnt had any security issues with that setup.

However, during its October malware troubles, TAM decided to purchase a new mail server of its own and intends to take steps next week to take back its e-mail—the last vestiges of service that the troubled StartLogic is providing for the beleaguered agency.

StartLogics sister company, iPowerWeb, was not able to provide input by the time this story posted.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.