Tip from a reader “How to clean the Yahoo Counter Injection Script”
Hey buddy,
nice website, i wish i had seen it before I renewed my contract with the crooks at IX for 2 more years…
well, i am writing because i couldn`t find on your website a solution to clean the infections automatically. so maybe you want to post a solution:here is what I did:
1 – download the entire site
2 – Open an infected file with Adobe Dreamweaver
3 – Look for the infected code, select all of it and copy it to the clipboard (starts with “<?php if(!function_exists(‘tmp_lkojfghx’))…”). You must copy ALL the code!
4 – Still on dreamweaver, click on EDIT>FIND AND REPLACE
5 – on the FIND box you paste the infected code
6 – On the FIND IN dropdown select FOLDER and point it to the folder where your website was downloaded.
7 – click on REPLACE ALL (dreamweaver will replace the code with whatever is on the REPLACE box, as we didn’t write anything there, it will clean the code)I found out that all the infected files on my sites had exactly the same code, so it was quite fast to remove them.
Ivan
Thanks Ivan for your feedback, I hope this helps others, also sorry to hear your sites are still constantly being injected. It’s clear that IX Web Hosting still has not got a clue how to solve this issue, and on top of this they are having 3 other mayor issues to deal with.
6 Comments »
Leave a comment
-
Archives
- November 2009 (1)
- October 2009 (3)
- July 2009 (1)
- May 2009 (4)
- March 2009 (3)
- February 2009 (7)
- January 2009 (12)
- December 2008 (19)
-
Categories
-
RSS
Entries RSS
Comments RSS
If you are using a mac, the free tool called TextWrangler can also perform such a search & replace on an entire website folder.
http://www.barebones.com/products/textwrangler/
Also, here’s additional info on the injected code issue.
http://wordpress.org/support/topic/205155
Best of luck to those affected by this issue.
Comment by Jeff Walton | February 14, 2009
I was told three weeks ago it would be one more week until the problem was properly fixed. However, to use the new security features I would need to move my sites over to a new server and account.
What’s really strange is I found THIS in my apache server stats from IX just today. It’s the top entry page to my site.Huh? An outside page being my top entry page? Yep:
REMOTE_HOST=dxxx-xx-xx-xx.xxx.myhost.com
REMOTE_ADDR=xx.xx.xx.xx
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, application/x-silverlight-2-b2, */*
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_ACCEPT_LANGUAGE=en-us
HTTP_CONNECTION=Keep-Alive
SPILL – HTTP_COOKIE=__utma=xxxxxx.590780005489459600.xxxxxxx.1234648090.1234648090.1; __xxxxxxxx; __utmz=21585833.1234648090.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
HTTP_HOST=www.cship.info
HTTP_REFERER=http://www.example.com/modlogan/m_usage_xxxx_xxx_xxx.html
HTTP_UA_CPU=x86
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322)
——————————————————————————–
REMOTE_HOST
Result
Comment
Maybe no problem.
HTTP Env. Value
Result
NoProxy!
Comment
Like no proxy server.
AnonyLevel : 2?
Spill your REMOTE_HOST? (1234648090.1234648090.1234648090.1)
——————————————————————————–
prxjdg – created by PRX4EVER
thanx to Team Cr[y]ackerz
———-
Welcome to IX webhosting hell! For months these guys ruined my sites.
Comment by Mike | February 15, 2009
@ Mike
ProxyJudge is a environment-checker like AZenv or jenv that can be used to test a proxy server. It is written in Perl. The ProxyJudge script also gives a rating of the anonymity where 1 is the best and 5 is the worst. It takes a lot of CPU power on the server so it should be avoided to use it automatically. You can just surf with a normal web browser to the URL of a ProxyJudge and compare the shown ip with yours or you can use the ProxyJudges in proxychecker software like AAtools, proxy checker, Proxyrama, Charon or AccessDiver to automatically check those free proxy lists on the Internet if they are working and if they are anonymous.
Comment by neverixweb | February 15, 2009
@ivan: I understand your frustration, but if you ever want to leave IX, we will refund any unused part of the account (so if you paid for 2 years and only used 37 days so far and decide you want to leave, you will be refunded the amount that is equivalent for 2*365-37 days)
@rest: i understand there are still security issues, but I would like to give you a little bit of insight:
-> we had issues with javascript injection => we implemented mod_security in apache to prevent this. in the past 48 hours our monitoring could not detect any new JS injections. We have our eyes open
-> we had issues with the way php was working (eg, if an account got compromised via a php vulnerability or customer script, the attacker could potentially have access to other customer’s folders) => we restricted that. if somebody’s site gets hacked, the other sites on the server are safe.
there are a couple other issues that we work on, plus we’re working on the cleaning of the malware we detected. However, there are things that we can fix just like that, and things that take time. I urge you to be patient.
Comment by root@ix | February 20, 2009
I was patient, rootpix. For months. Your managers even finally admitted the problem to me and gave me six months free. But what good is free service when I can never trust IX to ever fix any security issue in a timely and professional manner?
Comment by montana600 | February 26, 2009
My account with IX is going to expire in a few days. I am thinking of leaving IX but don’t know which web hosting is good? Can anyone suggest? I am hosting multiple domains (multiple MySQL for WordPress) under one IX account. I prefer the new web host offers similar service.
Comment by Adrian Hoe | March 8, 2009