Aw, not this shit again! I think it was last…September or October of last year before our sites got hit with that stupid injected code, but I know there were people getting hit with it as far back as August. AFAIK, it’s not exactly “malicious”, as in “will email goatse to your boss, cause your computer to explode, then screw your wife, steal your car, shoot your dog and burn down your house” (it’s a spam script, I believe), and removing it is simple enough–just find the file that was modified at a time you didn’t modify it, and search for the script (which will always have the site name tagged on the end, like “bettatude.com”, so it’s easy enough to find the string), then remove the code and upload the clean copy, but that’s not the point. The point is that it’ll be back again in something between a day and a couple of months, and there’s not a goddamned thing we can do to stop it as long as our sites are still on IX’s old servers. At first, IX blamed the users for having infected computers, then they blamed user-set directory permissions, and basically, they’ve blamed everything except the actual culprit…permissions on their own servers. The code is on their servers, and as I understand it, can hide in image files, and it injects a script into users’ files on WordPress, phpBB, and others. When someone views the page and the script runs, it calls up the code on the server and does…something. I don’t know what, since I’ve never let it run on a Windows machine at all, let alone one without proper protection, and the couple of P.’s users who’ve encountered it and been aware of the fact (his users aren’t exactly tech-savvy) have had the whole site blocked by their anti-malware. Whatever it does, though, it’s not supposed to be on the goddamned server, and if they’d even so much as properly secure their goddamned servers, at least the only ones affected would be the users whose own computers were already infected. They don’t, though; I think it’s that they have permissions set up somehow that if someone has access to one account on a server, they can access them all. Dunno, but I think that’s what I’d read. We users can’t just change permissions on every file to read-only because that will break the site’s functionality, but that’s what we’d have to do in order to avoid being infected. P. said that when he called and told them he wanted to be moved to their new servers, they said they’d do that (the new ones are more secure and don’t have the permissions issue), but that’s going to mean both of us making backups of absolutely everything on all of our sites, then putting it all up on a new server, and waiting for DNS to propagate. Kind of a pain in the arse, but I’d do it anyway…if P. would get his stuff backed up so we can make the move. In the meantime, all I can do is watch the little NoScript icon in the lower right corner of FF every time I go to one of my blogs or even the main page (which is actually only a joke with javascript “Click to enter” buttons that avoid the mouse so you can never “click to enter”…not that there’s anything to enter) and if I see that anything is being blocked, then I know I have to clean that godforsaken script out again because only bettatude.com itself is allowed to run scripts. Anything else that tries is blocked, and it will show that it’s blocked, and I know that when I look, I’ll see that “add-filter-block.info” is trying to run a script. FFS…IX used to be a really good host, but it’s been months now and they’ve still done nothing to fix it except for recommend that users change their FTP passwords. Christ, how many times am I going to have to change my fucking password before they grab a clue and remember that they’re supposed to be a professional web-hosting company???
Well, the affected pages are cleaned of scripts. Time to go change my FTP password…AGAIN.
Gawd…IX apparently sucks so bad that there’s an entire blog site on WordPress devoted to its suckage. Fuuuuuck.
