IX Web Hosting, .htaccess Redirect, SQL Injection and Banned by Google

Posted: July 9, 2009 in IX Web Hosting
Tags: , , , , , , , , , , , ,

This week has been a complete disaster for 1000’s of IX Web Hosting’s  customers.

reported-web-forgeryx

A new wave of the .htaccess injection is affecting 1000’s of sites, but things just get worse and worse, Google is flagging sites hosted by IX Web Hosting because of the sites being redirected to infected sites.
Some customers sites are even getting “Splashed” by Google with “‘Reported Attack Site’ ” can you imagine spending YEARS building up a reputation and then having your site and your reputation  Destroyed because of a hosting company that after 10 MONTHS!! still cannot and has not fixed this security issue…

10 MONTHS!!!  IX WEB HOSTING… You should be ASHAMED!!

Here is an example of someone who has spent YEARS working hard to build a (basic) website and a reputation, and all was lost…

This is the third time I’ve requested review and had it result in a continuation of the ban. I’m a simple artist trying to make a living while going to school. My reputation is being destroyed by this, as well as my art. I’m not a programmer but I know my html that I wrote for my site, and it’s ridiculously simple. All the 3 pages, even though it was said there where 5 pages, that were listed in webmaster tools were the same exact html files I wrote. These were:
 http://www.****art.com/ADAbout.html
http://www.****art.com/ADBreedKirin.html
http://www.****art.com/Itemhtml/directions.html     { Links killed by neverix}

I’ve downloaded and looked at the code of each of these, finding nothing wrong with them.
I also have called my Host, IXwebhosting, who crawled through my site and looked at my files. They said they couldn’t find anything either and that there seemed to be nothing wrong. They also said the ‘Reported Attack Site’ html page google slapped on top of my index wasn’t showing up for them. I had posted once on this forum before with the question: ‘WHERE is the malicious code showing up,’ and I was told how to submit a review. Google is ruining my reputation, my site, my client base, and wasting my precious time. I don’t know what to do anymore, because nothing I have done seems to have worked. I re-uploaded my site, changed permissions to 444, removed any kind of php and unnecessary files, changed my two user passwords to more secure ones, and everything else I’ve mentioned in the above text. I don’t know what else to do. I’ve spent years establishing that site and it’s reputation…years now wasted and ruined.  Please someone help me.

I hereby invite IX WEB HOSTING to send me their side of the story about this issue, I will post it on this blog for everyone to read…  It’s only fair to hear both sides of the story.

And NO, this is not just a “One Off”  see 1000’s more : http://www.google.com/search?hl=en&safe=off&q=%27Reported+Attack+Site%27+ix+web&start=0&sa=N

 

Advertisements
Comments
  1. Jeff Walton says:

    In the screenshot example, *20.132.***.2** is actually not an IX registered IP address, you might want to check with the source that provided that IP address screenshot.

    It appears to be an IP address in Taiwan.

    I used the following lookup site:
    http://centralops.net/co/DomainDossier.aspx?addr=*20.132.***.2**&dom_whois=true&dom_dns=true&net_whois=true

    Can anyone provide an affected/blocked IX IP address, so this can be sorted out? Hopefully can be cleared up with Google as a false positive so no further IX customers are affected.

  2. root@ix says:

    to the person with the example: what is the ticket number that you opened with IX in regards with this problem? If you indeed opened a ticket, I will make sure google removes the warning ASAP. If you didn’t… oh well… I can’t help you if I don’t know about the problem. Nor can my colleagues. So far I didn’t have a single unsatisfied customer after his/her problem got to me via regular channels (tickets) or via email obtained from the owner of this blog. I can copy/paste a few praises here if you want.

    To neverixweb: The IP address with 220.132… does NOT belong to IX. if you’re going to post screenshots of so called IX failures, please make sure they are at least half true.

  3. neverixweb says:

    @ Root, The site of the image IS hosted with IX, the IP that is flagged is NOT, it is being re-directed from an IX customers site to the flagged IP.
    This is what the .htaccess does

  4. neverixweb says:

    @ Jeff Walton, The site of the image IS hosted with IX, the IP that is flagged is NOT a IX site, it is being re-directed from an IX customers site to the flagged IP.
    This is what the .htaccess does

  5. root@ix says:

    okay, so what’s the site hosted? anything can be fixed this days you know. And if i know what the hosted site is, I can find out how it was hacked, and if it’s IX fault or customer fault. And I will gladly post results here.

  6. Ysayde says:

    The reply above that mention IXwebhosting was my own, and I had no idea it was featured on the front page of this blog without my consent.

    I never “sent in a ticket” I merely called IXwebhosting. The Complaint I have is more with Google than it is with IXwebhosting. If you want to help, and God knows I need it: http://www.google.com/support/forum/p/Webmasters/thread?tid=2a2324104942560e&hl=en That is the place you can contact me.

  7. Mike says:

    They STILL haven’t figured this out yet?

    OMG.

  8. Mike says:

    Ysade, why would your complaint be with Google? They aren’t the ones who allowed your site to be hacked.

  9. Ysayde says:

    My complaint is with Google because I have FIXED my site and they refuse to talk to me or remove the ban. Every time I submit a review it turns out to be different pages, a different number of pages, and no explanation. Not only that but I don’t get redirected at my site, no one else has since I fixed it, yet Google is still being redirected to some IP which isn’t even close to mine. Google is ignoring me completely, IX is still trying to help my site.

  10. neverixweb says:

    If your site is being redirected to another site, then you have NOT fixed your problem, or let me put it this way,.. your problem has not been fixed. Your site and code might well be squeeky clean, but the server that your site is on might not be as it should.
    If your site is being redirected to another IP, and it is NOT your .htaccess, then it is probably the IP split filter IX is using to split multiple IP’s on a shared hosting enviromont , the filter is not doing it’s job, and your site is now pointing to another address… This is NOT Googles Fault, and it is NOT your fault… It is your hosting’s fault.

  11. root@ix says:

    @neverix: please do NOT make such assumptions if you don’t know what is going on.

    IX does NOT use any “ip split filter”, customers get dedicated IP addresses for their sites by default (they can chose to use shared IP address, but that’s rarely the case as there is no extra cost for dedicated IPs, plenty of dedicated IPs are included in the plans).

    As of today, there is a ticket open for Ysayde (ticket id: 983821) to follow his problem (I was going to open the ticket myself, but the customer beat me to it 🙂 ). I am personally working on the ticket, and his site WILL be unbanned.

    I don’t deny security problems we had, but I like to believe that we solved most of them and now I am doing damage control (trying to fix customer issues that were caused because of our neglect/incompetence). I think users are not going to be unhappy after I’m done with this.

  12. neverixweb says:

    @ Root. .. I DO know what is going on, and I can guarentee you that IX DOES use a Split Filter!!.. Customers get 8 dedicated IP’s with their buisness Account, If a customer hosts MORE than 8 sites, they get a SHARED IP, that is SPLIT… so please do not say IX does not use a splitter!!

    I hope IX, with your help is on the road to being a reliable host, as it was 2-3 years ago.. AND take my word for it, SACK most of the stuck up ignorant and rude support.. ( not all of them) that have not got a clue about the hosting world, and do not care what is going on.

    Keep up the good work.

  13. root@ix says:

    @neverix:

    let’s not call it Split Filter then. It’s a different technology. If you get a shared IP for your site, the “splitting” is done by apache virtualhost, so not a splitter per se. It’s implemented in HTTP/1.1 and above 🙂

    The problems with redirection that we see now have nothing to do with server configuration (security for that has been tightened). All the problems that still exist are in customer config and .htaccess file (and by that I am not saying it’s customer fault, don’t misread me). As this is not a server-wide issue, we can only fix it on case-by-case basis. And we are fixing it.

    As far as the ignorant and/or rude support is concerned… that is in the works. Please bear with us.

    Now i will go to sleep. It’s 4.15am here, and I have to be back at the office in 4 hours.

  14. neverixweb says:

    @ Root… Not a server side issue?.. are you serious?.. When does it become a server side issue?
    1 in 5 websites on that server are infected (and this is only those sites that google has flagged). That is a very high percentage… This IS a server side issue, or at least it is for all the customers hosting on it!!..
    You know where I got these stats from, so I will not yet post the link. Also I am researching something, including 6 huge security faults with ix web hosting.. I am waiting to hear back from IX ( I sent the details) before I post the report.

  15. root@ix says:

    by server issue I mean an issue that happens because of a server software or configuration bug. While I don’t deny there were issues that could have caused this in the past, at the present time the server configuration is rather secure, and there is no single issue that I am aware of through which a malicious user could cause harm to all the people on the server.

    As far as 1 in 5 websites… how did you get to this number? And don’t get me wrong, we are doing our best to clean all the files infected.

    About your research, maybe if you contact me with it, I might be able to help.

  16. neverixweb says:

    @ Root.
    You can see the problems you are having on that server at

    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?&site=AS:32392

    Do the math, and it is about 1 in 5 ( just under) but remember these are only the sites Google has crawled.

    The last time Google tested a site on this network was on 2009-03-11, and the last time suspicious content was found was on 2009-03-11.

  17. ysayde says:

    Thankyou Root!

    So far the Ban has been lifted! I just hope Google doesn’t pull another trick like they did last time where they declared it clean and then put the ban back on 4 hours later.

  18. IXSupport says:

    Ysayde, I’m so glad you’re site was delisted! We talked on the phone the other day, and I was very upset that you were having to deal with this. I sent this to root that very day, and he was able to get it corrected. Now, we will be able to do the same for other customers having the same issue. Have a great day and thank you so much for calling support @ IX!

  19. Robert says:

    ———————————————–
    @ysayde:
    Is your website still unbanned by Google ?

    ———————————————–

    When I saw IX’s hosting plans, I knew right away that I wanted to host with them.
    But I forced myself to research them first.
    I was shocked by the horror stories, especially at webhostingtalk.com. It is like an oil disaster, and will be diffoicult to remove from the web. I asked myself how come this company is still in business ?

    I took note of where most IX refugees said that they would flee to, or I looked it up at http://whois.domaintools.com/google.com.
    Just replace google.com for the domain you are looking for less the www.

    To be fair I researched some other “more popular” hosting providers.
    What’s so funny about this whole thing is that many of the so called “IX victims/refugees” fled to Hostgator, which around the same time was hacked itself and making amends : http://www.google.com/search?hl=en&q=%22hostgator+hacked%22&aq=f&oq=

    In the above link replace hostgator with servage or yahoo :
    http://www.google.com/search?hl=en&q=%22servage+hacked%22&aq=f&oq=

    There are more, believe me.

    I was in doubt, and I postponed my plans to move hosts.
    I’m hosting with servage right now and they charge EUR 19.95 per dedicated IP.
    We’re one month later know.
    This week I contacted the owner of Pro Developer by email. Because he left a favorable review at http://www.ixwebhostingreviews.com/
    http://www.ixwebhostingreviews.com/review/ixwebhosting/4124
    There are both negative and positive reviews there.
    The owner actually ridiculed the people who were complaining about IX.
    I asked him if todate he still felt the same about IX as he had written in that review. He confirmed that that was the case. And that he only had to advice a couple of customers to look elsewhere because their websites were getting too busy for shared hosting.
    BTW this website ixwebhostingreviews has nothing to do with IX Web Hosting. Just click the link above the reviews named “For the list of Best Hosts By User Reviews Click Here!” and you’ll see it.

    So today I decided to go for it and try out the response of their chat with some simple questions.
    CET 13:48 – 13:54 : I started a chat session with a gentleman named Oleg if I remember well. Asked him if I could contact IX by email, because I had about 15 questions to ask or else copy paste them in the chat session. He advised me to register at their help desk and open a ticket for the questions. I didn’t like that, but I did it because I wanted to find out. My ticket# and questions were confirmed and copied back to me by email almost immediately.

    I wanted to ask a couple of more general questions (about the 3 free domains), so I started a new chat session. CET 14:05 : A lady called Lilly, responded and answered my questions promptly.

    It took IX until CET 19:55 to respond to my ticket (Krystel). Almost 6 hours. Not good. But I thought maybe they give priority to existing customers, or no one available.
    And it was only to notify me that the ticket was forwarded to the department concerned.
    CET 21:17 : Finally all 15 of my questions were answered (John R).

    I don’t care too much about the slow response time. It was the same at Sewrvage ehen I started out with them and it got better.

    IX staff showing up here out in the open, admitting to faults on their side in the past, and offering help to resolve problems of customers with Google, can only be commended. They could also have laughed and kept quiet, because they themselves were smeared almost everywhere on
    the internet where there is talk about hosting.

    Because I pais up until December for hosting at Servage, I’ll leave just one website hosted there because that one is in hiatus anyway, and move a couple of new startups to IX.
    I’m going for the Unlimited Pro for 2 years. With the affiliate link from the owner of Pro Developer.
    It will cost me just about ten Euros more, than one year hosting at Servage, and I can give most of my websites a dedicated IP.
    Which would have cost me a small fortune at Servage.
    ( a saving of 15 x EUR 19.95 )

    Robert

  20. Paul says:

    I have been with ixwebhosting for three plus years. Have had little or no problem untill the last three weeks. Three of my sites have been hit with phishing. All were fixed by ix or me promply.

    The problem is that even though I have removed the sites from the net, they continue to be hit (the domain is still with ix). I had to complete remove the site plus domain to stop the reinfections. Drives you crazy.

    Two time now, I have called the 800 support number and have been referred to a sex talk site number by a recorded message. This is hard to believe, but true. Someone has it in for ix.

    It is a lot of work to move, so, I am hoping that ix will get their act together. Their plan is hard to beat with the free IP addresses. However, it looks like you may get more than you expected.

    If anyone knows of a good reliable host, I would like to hear about it.

    Paul

  21. Adele says:

    @Root

    I have just recently been hacked and blacklisted almost immediately by Google

    I complained to support as soon as we new a virus was on our site.
    15hrs later we got a reply

    Dear Adele,

    Thank you for bringing this issue to our attention. We have addressed the ticket to our System Administration Team. They will clean virus injection from your account and search for possible source of infection. After all researches and cleanups are complete we will contact you with the update via this ticket. Note that such kind of virus most often comes via FTP from an infected PC. So we suggest you to scan your local PC for viruses and change your FTP password after scan is complete. Should you have any further questions or concerns regarding this, please feel free to let us know.

    Sincerely,
    ———————-
    Taras Rybalko
    Technical support
    Ixwebhosting.com

    We managed to clean the virus from the site and get unblocked within 24hrs, this cost us £1000’s in lost business.
    I really need to know that I can rely on IX to provide a reliable secure hosting service.(if we had this problem in our busy period it would have been a disaster)

    I still haven’t had a response from support regarding this issue.

    What really annoys me is after reading supports reply we blamed a third party programmer for the infection, which we now know to be wrong. As previously posted it seems that support is only to ready to blame others when they know what the real problem is.

    This infection was on 18th May 2009 it doesn’t seem to be getting any better. What can we do to ensure that our site is still visible in the future.

    As Paul previously said we have had no problems for ages untill our .htaccess file was compromised and redirected all search engine enquiries to a bogus site for virus protection plus this issue.

    Adele

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s