As I wrote yesterday, MORE THAN ONE THIRD OF ALL IX Web Hosting’s hosted sites are INFECTED.
And to make things worse, the problem is spreading.
Up until Jan. 3rd 2009 it was only the older servers still running Php4 that were being affected, but now even the NEW server blocks, running Php5 are being injected.
IX Customers with sites on the server block with mysql address mysql501.ixwebhosting.com that runs php5. are being injected.
This is bad enough, and the fact that after 9 MONTHS!!! IX Web Hosting has still NOT GOT A CLUE how this is being done is a complete DISGRACE!!
And to add salt to the wounds, IX is not just being attacked with one form of iFrame injection, NO, IX is being attacked THREE different ways.
1) The notorious ” YAHOO COUNTER” is being injected into the FOOTER of every file.
2) The .htacces File that is overwriting and / or adding an . htaccess file into the root of every site and re-directing sites
3) As of Jan. 3rd 2009, a SECOND but modified version of the ” YAHOO COUNTER ” iFrame injection is now being injected into BOTH the Header, AND / OR Body of every file.
Today an IX Web Hosting customer sent me a link to their site, that was injected with THREE Yahoo Counters, Header, Body and Footer.
The owner of the site told me that the site would take ages to load, and would often even timeout, and Google had dropped the site completely from the Search Engine, penalized because of the “Malware Script”
Here is a quote from IX Support’s Alex Karamushko :
We have currently problem with Yahoo counter hack, but our system administrators and security analysts working hard for finding exact reason of that problem and we can assure you that this will be fixed shortly.
After 9 months, I ask myself what ” shortly” actually means?!.. Another week?, month?, or maybe 3 months?.. because I was told by “AGENT IX” that at the rate things are going now, by May 2009 EVERY website hosted at IX will be infected by these injections.
IX Web Hosting Warning 
Hi, can you provide links to resources that used to check web site files for the malicious scripts, or steps to remove? Many of the example sites on your blog have either been taken down or cleaned by the hosting provider when I tried to check them for comparison/details.
I checked Internet Storm Center blog, but their examples may not apply to the infection at IX.
Hi Jeff.
I’m not quite sure what it is you are asking for, I believe you want to see a “Real Life” example of the injection?
If so, check this link : http://runholy.com/ : Check source Code at the footer of the page is the Yahoo Counter Script.
Also note how long it takes to load the page, and you will probably get an “Adobe Acrobat Reader Error Message”
The funny thing about this website, is that it belongs to one of the IX Web Hosting MANAGERS ( Lauren)
Thanks for the info. That live exploit page too dangerous for me to browse due to risk of infection.
I spent some more time googling and I did find some additional sites with tips on removal and identification of existing code here:
http://forum.cmsmadesimple.org/index.php?topic=27818.0
http://forum.joomla.org/viewtopic.php?p=1426860#p1426860
I checked all .htaccess files, and my site files, and do not seem to be infected at this time. I’m running off of their mysql302.ixwebhosting.com server (also PHP5) PHP Version 5.2.6 with register_globals off & allow_url_fopen off as well.
-JW
Has anyone came up with a proper solution to the problem ?
My http://www.GeordieGabbaMafia.org/main.php file is infected.
I have reasied several tickets with IXWebhosting, all with the same response – make sure you uprade to the latest versions of your applications – IXWebhosting is 100% secure !
Grrrrrrrrrrrrrrrrrrrrrr
Thanks for all this info. On December 19th our website that was hosted at IXWebHosting was hacked. All folder permissions were chmod to 777. There were files created by a user Ifyalky that had the php version of the injection.
I also noticed that every php file and html file had changed on my webserver. I noticed either the php injection or the html injection at the end of every single file. I downloaded all the web content and wrote a script to match the injections.
I loaded new version of the applications that over wrote the previous infected version. I then ran a “grep utility” matching on the first 30 characters of the injections using regular expressions. I found the last bit of the files, edited them to remove the scripts, and then checked the database. Now I am clean. No issues.
I seriously hope I don’t have to deal with this again.
So I decided to check one of my other sites on a different account still with IX. And it seems that the folders here were changed to 777 also. I fixed that right away but luckily no files were changed when I ran my scan.
BTW You can tell if the site is hacked by looking at the source of the page. Also I installed firefox and the noscript addon. I saw the 2 ip addresses being blocked: 78.110.175.21,195.264.76.251. First is from Amsterdam, the second is from Luxembourg.
I only have the 1 infected file with the Yahoo Counter injection, main.php
Any idea’s how to fix this ?/
I would re-upload the original main.php, overwriting the infected one. But if you have made changes to main.php, you could just remove the injected code.
Remember, this code “Calls” the server based code / iFrame that will appear on EVERY page.
Ixweb hosting here as well. The Yahoo counter script appears at the bottom of every single page. I’ve looked through every single table using phpmyadmin and can not find the source of the script. Any other ideas other than to nuke the whole thing and re upload?
I have re-uploaded main.php many times but the infection just seems to fire into it.
I can only see the code when ‘Viewing Source’ on the web page, not when I open main.php on my PC.
Here is the transcript from a tech support person at IX. Talk about transferring the blame…
info: Please wait for a site operator to respond.
info: You are now chatting with ‘Igor Mukhin’
Igor Mukhin: Welcome, my name is Igor, please let me know how can I help you today?
you: Hi Igor, sorry we just were chatting. the issue with no access to my website only occurs when doing a general google search, not when searching by company name in the search bar. the domain name is highlystrung.net.au
Igor Mukhin: Your site is infected, you will need to download the content to your local machine and scan it for viruses then upload it again, after you will need to scan your computer from which you have update your site, if it will not help you will have to ask Google for clarifications
you: we have an imac computer with no virus programmes installed for this purpose. so what can we do. we are not technically able to perform these upload and download functions ??? What does this actually mean and if we ask Google for assistance, what should we say to them.
Igor Mukhin: Most of hackers’ attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. Anyway, it is strongly recommended to review everything that you have in website folder and check web server logs to determine the way you may protect your application.I regret but it is impossible to find how those attacks are happening.
Igor Mukhin: Also regarding prevent it in future:
Igor Mukhin: Please also change your ftp passwords to more strong and a password to your control panel as well. Also please check if you don’t have 777 permissions on directories and folders, as it is unsafe.
you: We do not understand any of that, although we appreciate your assistance and kind help. We will have to keep this information and give it to someone who is more computer literate. none of this information make sense to us, but thanks anyway.
Igor Mukhin: You are welcome
Igor Mukhin: Please feel free to contact us if you need further assistance, we are available 24/7.
you: ok, thank you but we may now change our web hosting to someone in Australia. Your advise is of no use to us as we need technical support and help that is more practical and immediate.
info: Your chat transcript will be sent to ******_antiques@bigpond.com at the end of your chat.
Wow… three out of five sites are down, and I am desperately trying to find another host.
This is HORRIBLE! Thanks for the heads-up.
We are not happy with it and wants to quit. We would like to apply in writing for refund and I suspect that they won’t…because every second day our websites are down and we are getting hanky panky replies.
I think someone should knock the law now !