IX Web Hosting, Script Injection and banned by Google 2

Posted: March 11, 2009 in IX Web Hosting
Tags: , , , , , , , , , , ,

So many people being banned by Google, and cannot find the source of the Injection..

 I have previously posted on this blog WHY you cannot find the code.. Because  the code is NOT on your page. The code is, and can be anywhere on the server ( I have posted 3 links to the code that was hidden as a .jpg)  The code added to your site is actually an Iframe, so what you should be looking for is a small snippet of code that calls the script. ( check your Config, Header, Footer, Index.php etc.. ALL pages that get called on every page

Yesterday someone contacted me with this issue, and that person was also banned by Google, and had spent weeks trying to solve this problem.. They  finally found the code in the CONFIG File . ( thanks to this blog)
The site is now clean, but it will only be a matter of days before it is injected AGAIN!!

Here is the post I posted in December last year:

Hundreds of  IX customers, are contacting me to ask about the Injected script ( posted in a previous post) they are asking me HOW to remove it, because they cannot find it…

The Reason they cannot find it??

Because of a MASSIVE SECURITY ISSUE on IX WEB HOSTING’s SERVERS!!.. the script is NOT actually put onto any of your pages, the script is actually hidded somewhere on the server..

So far I have found 5 “seeds” .. These are the codes that are appearing  in  over 100,000 sites

( These have now been removed by ix web hosting but as you can see, the actual file is well hidden and disguised as an image. REMEMBER, this is where the files were stored that YOU can see on YOUR pages )

Remember to view the “source code” in the above links.

Very interesting is the second “seed” that is actually in an IX standard “modlogan” folder, that is standard a chmod 700 .

Secondly it should not be possible on any shared server to inject this script onto EVERY file on that server. The fact that this is happening means that IX web Hosting has not got a clue how to protect their servers, and customer web sites. 

So as you can see, this script IS  NOT actually put into your script, that is why you cannot find it.. HOWEVER, somewhere on your site, there is a bit of code  ”Calling” this script, and that appears in your pages.
Check  ALL the pages that get called for every page, ie. header, footer, index, config, sidebar etc. 

So far I have evidence and proven that the following IX servers running the following Database’s  are seeded:

  • mysql33.ixwebhosting.com
  • mysql15.ixwebhosting.com
  • mysql27.ixwebhosting.com

If you know of any others that are seeded, please let me know.

Hope this helps

:: Some people have contacted me to tell me that the Injected Script is ( also ) injected into the database, and in some cases a new table is created.
I have checked 9 databases of infected sites, and I have not yet come across the script in my Database’s, so I think that this might be “script” related, maybe that some scripts such as PhpBB2 allows for this to happen, so I recommend searching your Database for the script as well ::

=================================================================

This issue has now been going on for more than 10 months…. 1 year this May.. Will IX Web Hosting be celebrating  this milestone?

Advertisements
Comments
  1. IXsupport says:

    The files in your examples do not exist. Please supply other examples of this type of hack or “seed” so that we can look into this issue. We are taking a very serious approach to any new tactics that might be used by hackers.

  2. IXsupport says:

    The most important thing is that you request a re-scan by Google. We have run scripts to remove javascript injection from customers’ pages. The only thing that needs to be done is to request a re-scan by Google. If you have any issues after you have done this, please call our support so that we can help trouble shoot your issue.

    Also, this snippet of code will be in your files. It is not at a server level but within the code of the files itself. I, myself, have not seen this injected into a jpg file, and (I would love an example of this), but it is injected into the top and/or bottom of the code in individual files.

    As stated, please visit Google’s webmaster tools. The link will be on the diagnostics page. Please call our support if you have any questions on this procedure.

  3. neverixweb says:

    As stated in the post, the files NO LONGER exist, although it did take IX 9 months to delete them, even though I gave you 5 links back in May 2008… and as I just mentioned, this is NOT a new tactic, it has been going on for almost a year.

  4. IXSupport says:

    Do you have an example of the iframe injection?

  5. neverixweb says:

    Visit
    http://www.grandcanyontoursvacation.infoslobber.com/

    Check the config.php file and it will point you to the culprit on
    NS1.IXWEBHOSTING.COM
    NS2.IXWEBHOSTING.COM

  6. Salty says:

    I’ve had this problem too. The problem followed me from ixwebhosting to bluehost. I did some digging around this morning in my database and on the phpBB main site and came across this thread.

    http://www.phpbb.com/community/viewtopic.php?f=46&t=1322765

    I had the exact same experience as the guy who found this code in his site description in the ACP. Check there and in the phpbb_config table.

  7. concernedffiliate says:

    I have a habit of trying each new service i promote and MY GOSH I am so disappointed with IX webhosting. There’s no way I will host my sites with them at all?

    “unfortunately you can only install wordpress on the root of your domain manually”… so what are the easy apps good for?!?

    bad idea… jeezez cries. Thanks to the guy who put up this site for all of us. NO MORE to IX.

    I just reported several sites for attack/virus problems… are they all with IX i wonder…

  8. IXSupport says:

    I was able to get some examples of iframe injection from one of our customers. Although this hack was done in February, I have sent it to our admins to make sure this type of hack was also addressed.

  9. root@ix says:

    @concernedaffiliate: I am sorry about your Easy Apps issue. It is a known issue that we’re going to fix. However, I don’t expect this issue to be fully fixed until our new control pannel release which will happen sometime in August for the new customers, and by the end of the year for existing customers.

    With this new release, we will also fix a lot of other issues, and I am very excited about what’s to come. An “official” announcement is expected mid-may. Since this is not yet “official”, I cannot disclose more info at this time. Please understand this.

  10. Jonathan says:

    I have several sites hosted at IX, all of my CMS sites were injected with a js code this am. Also after the closing html tag in a couple index.php files. For CMS I use Silverstripe, and the file effected was main.php in the Sapphire directory which is 755 and the actual file itself is a 644. How can someone inject into these files without having direct access at a higher level than we as the consumers do? IX blames keyloggers etc… They are baffled when I say, I AM ON A MAC. I know that they care, they of course do not want to be bankrupted. But, do they care enough to do something sooner than later this time? Do they care that we no longer want to hear excuses?

    I am sick of having to take code out of files and search for code that I did not write. I catch it 1st day always and spend next two fixing sites. I do not make enough reselling their crappy slow-ass hosting to spend anymore time fixing the problem they can alleviate by hiring someone who knows what the EFF they are doing to fix their broke-ass shared hosting system. I left ipower because of speed issues two years ago, they have now fixed their servers and I may just go back until IX can develop the courage to do the same.

  11. neverixweb says:

    @ Jonathan..
    Can you please let me know when the last time was that your site(s) were injected, and on what IX server are your sites hosted… Also very sorry to hear IX is STILL blaming Keyloggers.. whoever told you it was Keyloggers knows Jack Shit what they are talking about…
    Please forward me the above info..
    Thanks.. and good luck

  12. root@ix says:

    @Jonathan:

    Please either open a ticket and ask in the ticket that I would take a look at your sites (my name is Tiberiu), or just email me and I will look at your sites. I don’t publish my email address, but I am pretty sure neverix can give it to you.

    Also, it will be helpful to let us know who did you talked to if you did on the phone or on live chat.

    Our first level support is not the greatest (to say the least), but we’re trying to improve it. I will make sure your site is cleaned, and I will check to see how your sites were infected. There are many posibilities, some might be our problem, some might not. My personal blog (http://blog.bridgephoto.net) was infected with a JS injection when I updated (changed) the theme, and the injection WAS IN THE THEME that I downloaded. Of course I cleaned immediately and I notified the theme developer. I am not saying this has happened in your case, but that is one of the posibilities.

    Anyway, your problem is OUR problem, and we will do all we can to fix it.

  13. root@ix says:

    @Jonathan: I opened the ticket 990041 for you (assuming the link in your signature is one of the domains you host with us).

  14. root@ix says:

    @Jonathan: I resolved the ticket 990041. I indeed found a way a malicious user could have infected your files. I sent you the details in the ticket. However, scanning all your files I did not find any other malware / infection. Should you have any more problems, please reply to the ticket. I am subscribed to it and I get all your updates.

    thank you.

  15. Brian says:

    A site visitor alerted me to an iframe injection on my site. This is the third such attack within three weeks.

    Each time that I created trouble tickets (I doubt I will this time, I’m just going to find a new host) the tech suggested that it was a a virus on my end. Then I’d explain that I’m on a Mac. They would then say it was third-party apps on my site, malicious PHP, etc. I would counter with the fact that there is only one piece of third-party code on my site, a CGI-based forum that is not linked from anywhere on the site.

    My research has shown that the pages affected (usually 9 or 10) directly corresponded to the top entry sites as reported by Webalizer. My hypothesis is that the attacker uses the easily-accessed Webalizer information to target the most popular sites and get the best results.

  16. root@ix says:

    Brian, I would gladly helped you, as I helped many people that complained here, and even more people that actually opened a ticket in regards to their issue.

    Can you please give me a little bit of information on how can I identify your site?

    Tiberiu

  17. Jonathan says:

    @root@ix

    TY for responding to me via this comment. We were attacked again 2 times since you looked at our code. I have not been logged into IX support tix yet, will look now and reply via that ticket so you get updated. Thanks again, I knew there was someone that cared. However, again, we are facing the blame and were just told same thing on phone again this morning.

  18. Brian says:

    I just felt like there was no point in creating a ticket after being through the futile process three times. I’ve basically resigned myself to having to supervise and routinely “clean” my files as long as IX is my host.

    Thank you for your offer.

  19. root@ix says:

    @Brian: I looked through your tickets, and then I tried to find the strings you mentioned there. I could not find them at all. Are you still experiencing problems? If yes, let me know and I will try to help you.

  20. Brian says:

    I’ve already cleaned the offending code from my pages, so there are no issues other than the fact that attacks have occurred four times since I began hosting with IX in May 2008. Compare that with the same site being hosted elsewhere for over six years with zero attacks.

  21. inapickle says:

    I’m in a pickle here. I just bought ix hosting around a week ago. Must have hade the worst luck ever, to find a review site with old reviews, because they were all good.

    Now I don’t know whether I should try my luck with the 30 day money back, and hope my only loss will be the $20 they steal for the domain, or I should stick around hoping that they will improve. If it’s gonna take most of the year for anything to happen I don’t really feel like staying. This is my first foray into hosting, and I don’t want to deal with sh*t like getting my page hacked or emails getting lost.

    But if I change I don’t have the slightest clue were to. After reading reviews from other sites they basically all suck, or are very expensive (at least $10-$20 per month). I’ve seen a lot of comments saying they’ll switch, I’d like to know where to because I’m lost.

    In one place you’ll see someone say hostgator is great, then in another you’ll see comments of users ripping them to pieces, and that goes for pretty much every provider I’ve seen so far.

  22. root@ix says:

    @inapickle: Just so you know, you’re not really in a pickle.

    First of all, new customers always go on the newest servers (we buy servers as we need them, so customers that signed up this year are hosted on more powerful servers than the customers that signed up last year, or 2 years ago, because the new servers are a new generation).

    Second, the service is not that bad. I am not saying it has always been great, or that it never sucked. We had ups and downs, and it is my belief we’re on an upturn now.

    Third, except for the 30day money back guarantee, we also have an anytime money back guarantee, so after the first 30 days, if you want to quit your money will be refunded, except for the part you have already used. (So if you paid in advance say $191 for 2 years for the Unlimited Pro plan, and you decide to leave after 2 months, you get $175 back – numbers are rounded).

    Fourth… check out our shiny new blog at http://blog.ixwebhosting.com and comment. All the coments there are read by management, system administrators, cr reps, and even the janitor 🙂 So your voice can and will be heard

  23. inapickle says:

    Thanks. Allthough what even made me look for info again was that after I had signed up, within the first 4-5 days, I noticed my site was down 4-5 minutes at one point. So I thought to myself, if they claim uptime of 99.9% it must be one heck of a coincidence if I already had such a noticable down time, something ain’t right.

    Then I saw all the negative comments. Since I did experience downtime this early (and have on several occasions also had 5-10 second stalls for loading a simple debug page with tiny, as in 3 record DB, sql output) it does seem that there is some truth to it.

    Then I read about it getting hacked all the time and email getting lost, that really put me off. If people and customers come to my site, and there happens to be some virus or they mail and I don’t reply, it will reflect badly on me, no matter how much I say that it isn’t my fault they’ll still be cautious. Even getting hacked once, is one time too much. The thought isn’t very appealing and makes me nervous.

  24. Ranjjjiii says:

    This ixwebhosting is one crap. I am using it from 1yr the main prob is they don have a good support team. Support team dont understand the ques, i hope they are not technically strong.

  25. Mark says:

    My site has been hacked twice. The first time was a trojan in January that infected my home computer, the second, last night, was simply an advert for pornography. The first time all of the index pages for my five sites was infected, the second time it was the the index, link and FAQ pages. Each time it was a java script. Apparently, the injection is done to pages with “generic” names. I called and spoke to IX last night and modified my ticket this morning to tell them about the other pages. I will report back any success or lack of it. I have been on IX for a number of years; these are the first times I have had difficulty.

  26. Mark says:

    I just checked again and found the script was able to create a directory called “ladies”. How the heck can someone else create a directory on my site?

  27. Mark says:

    Well, after working with IX for several days, I am not really happy. Although IX did remove all of the Java script injections for me, the only access they could find was from January (the firat hacking). They were unable to see anything for April.

    The tickets went back and forth several times, each time upping the ante for me. First, scan my computer. Then, uninstall the current anti-virus software. load down a different one, and scan with that. Twelve hours later it was “put the computer in safe mode” and then do a full scan. With 1.5 million files, that is a time consuming process. So, in general, while I no longer seem to have any infected files (and my home computer is squeeky clean), I am left in general unsatisfied. My question as to how the May infection happened has not been answered and I had to deal with a new person for each addition I made to the ticket.

  28. Ermal says:

    Hello to all. i found this blog really casually. I have been with ix for 2 years but i had no valuable websites in there. it was just a “testing” host for me.

    I think the problem here are the clients that are very genuine.

    First of all can anyone here please tell me what would they do if half of the world would tell them that killing people is a good thing to do? Also if i tell you that i can sell you a 200K car for 2K would you believe me ?

    COME ON PEOPLE , DONT BE STUPID!!!!

    Today i offer shared hosting too , do you really think i can manage more than 5 clients all by myself with every request and problem they might have ???

    Do you think that someone care so much for you to build a hosting-review website and pay his host and earn 2 cents from Google ads just to tell you which is the best host????

    Also do you expect to really get unlimited bandwith , space , etc with 12$ a month ?

    Do you have any idea of how much a server costs , how much electricity and taxes has to be paid and how much a person is payed to work in a hosting company? Even if it was only one person working there the costs are too high to give you what they write there , pay all the costs and earn from 12$.

    Have you ever thought that you might be 1K persons in the same server which has a 300GB HD , all of you paying for unlimited space. What will happen when the space will really come to an end?

    If you want my opinion search only forums for good reviews , do not look at review sites.

    I found my hosting that i am using now from 2 years in a forum that i dont want to tell the name because it may seem like i came from there to advertise it.

    Yes its true that i pay more than a shared hosting because it is a Virtual Private Server but i am ready to pay a full year in advance for everyone here that can try my hosting company and have more than 1 minute downtime the whole year.

    They are much more from what i expected so my conclusion is that if you are willing to have a good site pay what its needed to make a good site.

    If you are willing to have just some blog , or a bio webpage that talks about you than just stick with free service providers. they are perfect for little sites like small blogs and biography sites.

    REMEMBER MY WORDS : IT IS NOT ONLY IX , EVERY SHARED HOSTING COMPANY OFFERS 20% OR EVEN LOWER OF WHAT THEY TELL IN THEIR SITE BECAUSE THEY TEND TO MINIMIZE THE SERVICES QUALITY AND TO MAXIMIZE THE PROFITS , INSTEAD OF THE GOOD HOSTING COMPANYS THAT OFFER VIRTUAL PRIVATE SERVERS AND DEDICATED SERVERS AT VERY HIGH PRICES BECAUSE THEY DONT CARE ABOUT 12$ , SO NO MATTER BLUEHOST OR IX OR HOSTGATOR THERE WILL ALWAYS BE MANY MANY MANY MANY MANY UNHAPPY CLIENTS BECAUSE SHARED HOSTING IS NOT WORTH SPENDING MONEY.

    If someone needs suggestions for hosting companys or places on where to look for a good one request my email to neverixweb and email me so i can help you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s