Web Hosting Providers Let Security Sag

Web hosting providers that can't keep DNS servers clean are exposing low-budget government Web sites to malware.

Riddle: What do the city of Plainville, Kan., and the Transportation Authority of Marin County, Calif., have in common?Answer: a Web hosting provider that can't seem to keep its DNS servers clean.

Both .gov domains in the past few months have seen their sites seeded with redirects to malicious servers in other countries that have pushed pornography, malware, Viagra ads and the like to site visitors.

TAM and Plainville are, in fact, two examples of what security researchers are calling an epidemic of sites being compromised through their hosting providers and injected with malicious Web attacker paths that lead to tool kits such as Icepack, Neosploit and Web Attacker. These malcode tool kits serve up anywhere from five to a dozen or more exploits that latch on to site visitors' machines through their browsers to infest the systems with malware.

Plainville and TAM have more than their victim status in common. On the face of it the two had separate hosting providers—StartLogic and IPowerWeb, respectively—but those two are in fact all but the same company, both headquartered at the same Phoenix address and both sharing the same customer contact listing.

IPowerWeb/StartLogic hadn't provided input by the time this story posted. Their track records paint a colorful portrait, however: The Better Business Bureau has processed 191 complaints about IPowerWeb in the last three years. StartLogic is not only rated as an "unsatisfactory" business at BBB but also has its own hate site, StartLogicSucks.com, which ranks third in a Google search on "StartLogic."

Not all site poisonings can be blamed on ISPs. Security problems arising from collaborative software such as wikis are the customer's fault, as are those associated with poorly written ASP code, sloppy PHP work and SQL hacks.


Read more here about the problems ISP sloppiness has caused for governement sites.

So it's not always the ISP's fault when a site gets seeded with garbage. Then too, there are plenty of ISPs that respond promptly when customers' security staffers report that their sites have been hijacked.

Judging by Morgan Bailey's experience, IPowerWeb is not one of those.


On Nov. 19, Bailey, an information security analyst for the Enterprise Security Office for the state of Kansas, noticed a number of discrepancies in the DNS registrar information for some sites pertaining to the city of Plainville, Kan. If he queried the DNS server to find out what company was hosting the Plainville.ks.gov domain name, it delivered one set of information. If he tweaked the host name to query about Plainville-kansas-gov, he received the correct DNS information. If he queried 7.t.city-of-plainville.ks.gov, he got servers located in Moldavia, or Serbia, or Estonia. The sites were redirecting to pages hosting malware

This was not the customer's fault. In fact, the city of Plainville didn't even have a site. The city had registered a domain name, but it had never gone live with a site and didn't have an IP address for its domain name. Everything that was being served on the pages was residing within IPowerWeb's servers, which had been infiltrated by attackers.

Because IPowerWeb's servers were vulnerable, criminals were able to register false DNS information, including different site names under the city of Plainville's domain name. Bailey's research turned up other sites with the same problem, also being hosted at IPowerWeb, including at least two other government sites: csm.ca.gov and Bridger-mt.gov.

Obviously, IPowerWeb had a problem. Getting it fixed would be an uphill battle, however, given the lack of human contact available.

Bailey found he had to send repeated e-mails to IPowerWeb's abuse e-mail contact—a frustrating exercise, given that the contact information was hidden and could only be retrieved via Google searches for cached information that had been removed from the site. When the ISP finally responded, it initially tried to brush him off by laying the blame back at the customer's feet.

"I sent them several e-mails," Bailey told eWEEK. "They returned [my e-mail] once saying it wasn't their fault, when it clearly was. I could trace everything back to their DNS servers."

Imagine the frustration of squeezing an ISP's site in an effort to find a responsive human to deal with a site that's been seeded with malware, with more and more innocent citizens potentially suffering drive-by malcode downloads as the clock ticks. Imagine that same frustration if the news has gotten out to security researchers, been blogged about, featured in news headlines, and resulted in the GSA pulling the plug on an entire state's domain, as happened in the case of California with TAM in October.

Page 2: Web Hosting Providers Let Security Sag

That exact type of maddening situation is now commonplace for many small agencies, cities and businesses forced to deal with nonresponsive ISPs in the midst of site hijackings.

"A lot of these [sloppy ISPs] are out there hosting not only government sites but [sites for individuals or businesses]. People out there, your average citizen who isn't as sophisticated as all these scammers and [not sophisticated when it comes to] keeping a computer up to date with all the patches, the anti-virus, firewalls, that sort of thing—that represents a real threat," said Larry Kettlewell, chief information security officer for the Kansas state government.

IPowerWeb isn't the only ISP having these problems, but it has certainly captured security researchers' attention more than most. In fact, some researchers liken IPowerWeb to the RBN (Russian Business Network)with respect to how much bad traffic they see going to the providers' sites or how much bad software researchers see coming out of those sites.

"The numbers on some days make you feel like you're looking at a sister company of the RBN," said Dr. Jose Nazario, senior security researcher for Arbor Networks.

It's a dilemma. Signing up for managed security services from a big provider could well solve the problems being faced by resource-squeezed IT shops such as those working for small cities or small businesses, but they're just too expensive for most of these organizations.

"The whole business of managed services, whether for e-mail or network services or whatever, has until now really been off the consideration chart because of the costs involved. This might be a viable option, for instance, for medium- to large-sized corporations. ... [But] most state governments just would not be in a position financially to go down that path," Kettlewell said.

In fact, managed services don't look attractive until an organization has been burned once or twice, he said—only then does the desire to stay off newspapers' front pages and to keep services up and running outweigh the steep costs.

In the meantime, smaller shops are stuck with ISPs that, for whatever reason, just can't seem to get security done right.

"Over the last couple of years, this … has become kind of like a criminal enterprise—it's almost aided and abetted by lazy or otherwise unknowing people who are running some of these information security provider shops," said Kettlewell.

ISPs have an imposing amount of infrastructure to secure: Switches, routing, operating systems and DNS servers are the underlying infrastructure, and on top of that comes whatever a customer is hosting. Some ISPs have the staff, training, resources and foresight to configure things correctly. Nazario rattled off a half dozen ISPs that get security done right and deal with problems quickly: Yahoo, AT&T, Amazon, Rackspace and ServerBeach, for example.

For companies that can't afford a larger ISP, Nazario recommends doing due diligence when considering a smaller ISP, including these steps:

  • Check the Better Business Bureau listing for any outsourcer. Look for complaints that seem legitimate or recurring.
  • Talk to providers you trust, including local ISPs. Ask for the word on the street about a given provider.
  • Grill a prospective ISP on security procedures, including if there's a dedicated staff available 24/7 and the process for escalating problems.
  • Find out if there's a contact that can be reached right away—without the need to get lost in a phone tree—if either a security researcher or a customer notices something wrong with a site.
  • Interview a provider's customers. Ask other customers about specific incidents and if they've been handled to customers' satisfaction.

As for Plainville, there was still some residual cache information with malware redirects as of Nov. 30, but besides that residue, it appears that everything is right with the site now, Bailey said. And it's no coincidence that the site only began to get cleaned up when he got hold of a responsive person—the technical contact for the city of Plainville itself, mind you, not an IPowerWeb representative.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.