Tip from a reader “How to clean the Yahoo Counter Injection Script”

Posted: February 13, 2009 in IX Web Hosting
Tags: , , , , , , , , ,

Hey buddy, 
nice website, i wish i had seen it before I renewed my contract with the crooks at IX for 2 more years…
well, i am writing because i couldn`t find on your website a solution to clean the infections automatically. so maybe you want to post a solution:

here is what I did:

1 – download the entire site
2 – Open an infected file with Adobe Dreamweaver
3
– Look for the infected code, select all of it and copy it to the clipboard (starts with “<?php if(!function_exists(‘tmp_lkojfghx’))…”). You must copy ALL the code!
4 – Still on dreamweaver, click on EDIT>FIND AND REPLACE
5 – on the FIND box you paste the infected code 
6 – On the FIND IN dropdown select FOLDER and point it to the folder where your website was downloaded.
7 – click on REPLACE ALL (dreamweaver will replace the code with whatever is on the REPLACE box, as we didn’t write anything there, it will clean the code)

I found out that all the infected files on my sites had exactly the same code, so it was quite fast to remove them.

 

Ivan

Thanks Ivan for your feedback, I hope this helps others, also sorry to hear your sites are still constantly being injected. It’s clear that IX Web Hosting still has not got a clue how to solve this issue, and on top of this they are having 3 other mayor issues to deal with.

Advertisements
Comments
  1. Jeff Walton says:

    If you are using a mac, the free tool called TextWrangler can also perform such a search & replace on an entire website folder.
    http://www.barebones.com/products/textwrangler/

    Also, here’s additional info on the injected code issue.
    http://wordpress.org/support/topic/205155

    Best of luck to those affected by this issue.

  2. Mike says:

    I was told three weeks ago it would be one more week until the problem was properly fixed. However, to use the new security features I would need to move my sites over to a new server and account.

    What’s really strange is I found THIS in my apache server stats from IX just today. It’s the top entry page to my site.Huh? An outside page being my top entry page? Yep:

    REMOTE_HOST=dxxx-xx-xx-xx.xxx.myhost.com
    REMOTE_ADDR=xx.xx.xx.xx

    HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, application/x-silverlight-2-b2, */*
    HTTP_ACCEPT_ENCODING=gzip, deflate
    HTTP_ACCEPT_LANGUAGE=en-us
    HTTP_CONNECTION=Keep-Alive
    SPILL – HTTP_COOKIE=__utma=xxxxxx.590780005489459600.xxxxxxx.1234648090.1234648090.1; __xxxxxxxx; __utmz=21585833.1234648090.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
    HTTP_HOST=www.cship.info
    HTTP_REFERER=http://www.example.com/modlogan/m_usage_xxxx_xxx_xxx.html
    HTTP_UA_CPU=x86
    HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322)

    ——————————————————————————–

    REMOTE_HOST
    Result
    Comment
    Maybe no problem.

    HTTP Env. Value
    Result
    NoProxy!
    Comment
    Like no proxy server.

    AnonyLevel : 2?
    Spill your REMOTE_HOST? (1234648090.1234648090.1234648090.1)

    ——————————————————————————–

    prxjdg – created by PRX4EVER
    thanx to Team Cr[y]ackerz

    ———-

    Welcome to IX webhosting hell! For months these guys ruined my sites.

  3. neverixweb says:

    @ Mike

    ProxyJudge is a environment-checker like AZenv or jenv that can be used to test a proxy server. It is written in Perl. The ProxyJudge script also gives a rating of the anonymity where 1 is the best and 5 is the worst. It takes a lot of CPU power on the server so it should be avoided to use it automatically. You can just surf with a normal web browser to the URL of a ProxyJudge and compare the shown ip with yours or you can use the ProxyJudges in proxychecker software like AAtools, proxy checker, Proxyrama, Charon or AccessDiver to automatically check those free proxy lists on the Internet if they are working and if they are anonymous.

  4. root@ix says:

    @ivan: I understand your frustration, but if you ever want to leave IX, we will refund any unused part of the account (so if you paid for 2 years and only used 37 days so far and decide you want to leave, you will be refunded the amount that is equivalent for 2*365-37 days)

    @rest: i understand there are still security issues, but I would like to give you a little bit of insight:
    -> we had issues with javascript injection => we implemented mod_security in apache to prevent this. in the past 48 hours our monitoring could not detect any new JS injections. We have our eyes open
    -> we had issues with the way php was working (eg, if an account got compromised via a php vulnerability or customer script, the attacker could potentially have access to other customer’s folders) => we restricted that. if somebody’s site gets hacked, the other sites on the server are safe.

    there are a couple other issues that we work on, plus we’re working on the cleaning of the malware we detected. However, there are things that we can fix just like that, and things that take time. I urge you to be patient.

  5. montana600 says:

    I was patient, rootpix. For months. Your managers even finally admitted the problem to me and gave me six months free. But what good is free service when I can never trust IX to ever fix any security issue in a timely and professional manner?

  6. Adrian Hoe says:

    My account with IX is going to expire in a few days. I am thinking of leaving IX but don’t know which web hosting is good? Can anyone suggest? I am hosting multiple domains (multiple MySQL for WordPress) under one IX account. I prefer the new web host offers similar service.

  7. darren says:

    I was infected with the Yahoo Counter Virus 2 weeks ago. IX told me it was my fault as some of my files we’re unsecured. I went ahead and corrected it and 5 days later the Yahoo Counter shows up again. This time I simplified my site so it was only safe static pages. And sent IX the following email:

    Your initial inquiry:
    In the past two weeks our website has been infected with malware (yahoo counter virus) twice costing us money. Each time your technical department gave me their opinions on how this happened. Since those two bad experiences we’ve made some large changes to prevent anything from happening again. Including:
    -Removed the wordpress blog
    -Removed the forum
    -Allowed FTP under only certain IP address’ and rejected all others
    -All PHP scripts (suggested by you) were moved to its own directory which is now password protected through apache -All accessible files are CHMOD 644 & folders 755
    -All passwords (FTP, & Account) are changed

    I need someone from IXWebhosting technical department to go through my website, double check what I’ve done, give any more suggestions, and confirm our website will not be compromised again. I’ve taken every prevention measure on my end and need to confirm there are no more vulnerabilities. I appreciate your time as we cannot afford for this to happen again.

    IX Webhosting Response
    The only thing I can add to the previous suggestions is to recheck and clean all computers which have an access to your account. According to our logs you do not have any unprotected files under your account, http://ftp.allow and deny files created correctly. Should you have any further questions, feel free to contact us at anytime, we are available 24/7.

    The following day after this reply I was hit again, same Yahoo counter. I’ve done so many scans on my computer its ridiculous. I’m confident this is not on my end, but must be on theirs. I’ll be switching hosting companies tonight.

  8. darren says:

    UPDATE:

    I want to confirm that the “Yahoo Counter” is IX Webhosting’s fault. My previous post (above) explains the steps I took trying to solve the problem. I did indeed switch hosting companies and the problem was solved. I left the IX Webhosting account open just in case I needed to switch back. Its been almost a month and I’ve logged back into my IX Webhosting account to check the files there to find they were infected!!! Let me spell this out for everyone. The nameservers for my domain name don’t even point there anymore! No one from the outside world are viewing the files or even have access to them as they are on IX’s servers. To me, this is clear that IX webhosting is responsible for the “Yahoo Counter Virus.”

    If you’re doing research on the cause and solution of this virus this should be you’re last stop. The cause is 100% IX webhosting, and the only solution is to switch hosting companies. Trust me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s