IX Web Hosting and the Yahoo Counter Script Injection

Posted: December 24, 2008 in IX Web Hosting
Tags: , , , , , , , , , , , , , ,

I started this blog just 2 weeks ago, and today I recieved my 1000 th  Email asking me about the code that is injected into the footer of every file hosted on seeded IX Web Hosting Servers.

Hundreds of  IX customers, are contacting me to ask about the Injected script ( posted in a previous post) they are asking me HOW to remove it, because they cannot find it…

The Reason they cannot find it??

Because of a MASSIVE SECURITY ISSUE on IX WEB HOSTING’s SERVERS!!.. the script is NOT actually put onto any of your pages, the script is actually hidded somewhere on the server..

So far I have found 5 “seeds” .. These are the codes that are appearing  in  over 100,000 sites

Remember to view the “source code” in the above links.

Very interesting is the second “seed” that is actually in an IX standard “modlogan” folder, that is standard a chmod 700 .

Secondly it should not be possible on any shared server to inject this script onto EVERY file on that server. The fact that this is happening means that IX web Hosting has not got a clue how to protect their servers, and customer web sites. 

So as you can see, this script IS  NOT actually put into your script, that is why you cannot find it.. HOWEVER, somewhere on your site, there is a bit of code  “Calling” this script, and that appears in your pages.
Check  ALL the pages that get called for every page, ie. header, footer, index, sidebar etc. 

So far I have evidence and proven that the following IX servers running the following Database’s  are seeded:

  • mysql33.ixwebhosting.com
  • mysql15.ixwebhosting.com
  • mysql27.ixwebhosting.com

If you know of any others that are seeded, please let me know.

Hope this helps

:: Some people have contacted me to tell me that the Injected Script is ( also ) injected into the database, and in some cases a new table is created.
I have checked 9 databases of infected sites, and I have not yet come across the script in my Database’s, so I think that this might be “script” related, maybe that some scripts such as PhpBB2 allows for this to happen, so I recommend searching your Database for the script as well ::

Advertisements
Comments
  1. James Hunter says:

    Count me in as another victim of IX Web Hosting malware. I first noticed the problem about a month ago when the FireFox Google Advisory blocked my website. Looking though my html, I quickly found the Yahoo counter. I also noticed that all my html and php files were owned by gregjame. The fact that ownership of my files was changed seemed to be clue that this was not a problem on my side.

    I opened a trouble ticket and got the standard boiler plate response that this was the fault of my PC. I asked them to explain how my PC changed the ownership of my website files to someone else on their server. A few hours later, IXWebHosting responded that the server had a “glitch” and was now “fixed”.

    For 2 weeks, I didn’t see any re-infection, though I did see one thing that that bothered me. I use FrontPage extensions to publish. Every single day, I had to reset/re-enable FrontPage extensions. Not sure if this means anything, but it did make me wonder if the server was still infected.

    One day, my files were infected all over again. The modification date on the files was in the middle of the night. I opened a trouble ticket and got the boiler plate response. I decided I’d had enough. I’m in the process of changing providers.

  2. mikeb12 says:

    not sure if this helps anyone here, but I’ll post in case it does…

    I am also a IX customer and was hit by yahoo counter on a phpbb2 board about a month ago. created a trouble ticket and they told me to upgrade and change ftp and database passwords. didn’t help. then I chatted online with a support rep at IX for about 30 minutes, linked them to the various threads about the issue.. and they said “we are working on it”. I asked if they had an eta or any details on what I can do to fix it. the rep told me they are not allowed to talk about it publicly.

    so needless to say, I went hunting for DIY solution… found many links including this one, but no real answers on how to remove it..

    long story short, after hours of combing through files, found nothing. so I went hunting in phpmyadmin and found it hiding in 2 tables. CONFIG and CATEGORIES…
    removed the counter script from these 2 tables and it cleared my site of it. http://www.doxietown.com/phpBB2/index.php

    here’s where I found mine…
    it was in 2 tables (categories and config) in phpmyadmin. some screenshots below on how I removed it..

    from categories table

    and from config table

    hope that helps some of the phpbb users.. obviously IX is not at a point to fixing it yet.. I had to do it on my own.

  3. neverixweb says:

    Thanks mikeb12 for this useful info, I hope this helps others to detect any injected code in their DB.

  4. DrewJ-Stirling Tech says:

    Another IX victim here (yes, I am putting full on blame on IX for this one). I found the code written into several php and html documents in several of the sites I have hosted on IX during some updates, the malicious code did not exist as early as three days ago, I have been doing a ton of updates and hadn’t seen this until today. I also found that most files had been chmodded 444, so simply removing the injected code and overwriting was not an option. I had to delete and re-upload a few sites to cure this while I search for another host. Two of the infected sites are very simple and static for the most part, no DB access or server side code so, as an FYI, this DOES indeed write to your hosted code, mySQL is affected but not necessarily needed to become infected and as a temp fix, you will need to remove any DB entries as mikeb12 points out, as well as delete and upload a clean version of any affected files.

    Hope this helps.. If I find a comparable host, I’ll come back here and post a link, I know I’m looking, and I’m sure some of you are as well.

    Drew

  5. […] the matter before driving to IX with a blow torch, I decide to google it. This is what I found… IX Web Hosting and the Yahoo Counter Script Injection IX Web Hosting Warning This as well as several other hits describing the same issue I was seeing, with IX Hosting sitting […]

  6. DrewJ-Stirling Tech says:

    Dreamhost seems to have a really good deal, very comparable, I’ll be switching over to them shortly..

  7. Smurf says:

    I am infected too.

    http://www.GeordieGabbaMafia.org

    My site is on mysql4.ixwebhosting.com

  8. Kunga says:

    Well they have finally owned up to it:

    Hello,
    I have the Yahoo! counter trojan on my website but I have downloaded the whole site and cannot find any infected files. Please help me find it.
    Thanks.

    Alex K., Sat Jan 10 06:49:56 2009
    Ticket Status was changed from Open to Resolved
    Dear Kunga,

    I’ve just checked your website and did not find any virus activity on your web site. Please check this by yourself. Your website is clean now. We have currently problem with Yahoo counter hack, but our system administrators and security analysts working hard for finding exact reason of that problem and we can assure you that this will be fixed shortly.

    Should you have any further questions, please feel free to contact us anytime, we are available 24/7.
    Technical Support
    24*7 Helpdesk / Online Chat
    Alex Karamushko
    Jan-09-2009 23:40 UTC
    © 2008 IX Web Hosting . All rights Reserved | Privacy Policy

  9. K.Ray says:

    I have seen this script inside the php files while my blog was hacked and infected . This java script is injected in to the wp-login.php and admin-footer.php files by the hacker. For more details please read this article : http://www.itoneworldsystem.com/blog/2009/01/03/how-to-remove-malware-from-your-blog/

    This article defines and resolves this c=z.lenth java script problem step by step .

  10. […] If I find a comparable host, I’ll come back here and post a link , I know I’m looking, and I’m sure some of you are as well. Drew. Comment by DrewJ-Stirling Tech | December 26, 2008. […] the matter before driving to IX with a blow …[Continue Reading] […]

  11. Smurf says:

    I got an E mail from IX on Thursday saying that have moved my website to another server. Now I can access anything PHP related on my website. I asked if the SQL DB settings have changed. They replied with this ..

    “I`m very sorry for this inconvenience which might be caused to you. Your mysql server remain the same so recent move will not affect any of connection settings you had before. Please accept my apologies for any inconveniecne which this might cause to you. Should you have any questions please feel free to contact us anytime, we are available 24/7”

    Hopeless ! I have decided to leave them today

  12. darren says:

    I posted 2 comments on the following page. Read them and you’ll find IX is to blame and the solution is to switch hosting companies.
    https://ixwebhostwarning.wordpress.com/2009/02/13/tip-from-a-reader-how-to-clean-the-yahoo-counter-injection-script/#comment-460

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s