ATTENTION: IPOWER DOMAIN SERVERS HACKED

[NyHick]

There are countless sites that are currently reporting malicious code being showing up on their sites in the last 48 hours.

The code:

Code: Select all

>

This appears to be directly inserted into database records which would indicate that it most likely has something to do with their MySQL servers.

What I know so far:
Doing a Google search for "" and cross-referencing sites via WHOIS, where the script is has been indexed, indicates that every site is hosted on the following Domain Servers:
Name Server: NS1.IPOWER.COM
Name Server: NS2.IPOWER.COM
or
Name Server: NS1.IPOWERDNS.COM
Name Server: NS1.IPOWERWEB.NET

8 out of 8 sites that I cross-referenced came back with one of the above.

Futhermore, there are post showing up in the Joomla! Forums (http://forum.joomla.org/viewtopic.php?f=267&t=621440) as well as on the Wordpress Forums (http://wordpress.org/support/topic/i-di ... range-code) where other users are continuing to experience the same issue.

What does the script do:
To my knowledge, nothing. It comes back with a "Page not found." That is not to say that it won't do anything, it's just not doing anything currently - except causing additional load time by querying to an external URL.

What you should do:
If you have a site, or a client site, that is hosted on an IPOWER server, I would highly recommend that you review your site[s] to ensure their integrity. Furthermore, I would suggest you issue a Support Ticket with IPOWER and continue to monitor your site[s] for changes.

Going through the pain of switching hosting is totally up to you. I am not suggesting or recommending that you stay or move. That will depend on how IPOWER handles the situation. Hopefully they learn from MediaTemple's mistake. Some of you may recall that something similar happen with MediaTemple back in December of 2009 when one of their Grid Servers was compromised. It took them weeks to notify users and months to clean it up!
(http://www.inquisitr.com/47860/the-epic ... e-failure/)

I spent over an hour on the phone with IPOWER support earlier this evening trying to explain to their Support Representative that their servers have been compromised without much success. If that is any indication of how this is going to be handled, I would say we are in for a bumpy ride.

Good luck.

[dhas]

I was the original poster at http://forum.joomla.org/viewtopic.php?f=267&t=621440. The reason I discovered it quickly was that the code caused random redirects to malware - often the first time a user went to our site it would be redirected but future visits did nothing... when redirected the following would popup: "Message from webpage - Warning! Your computer is at rist of malware attacks. We recommend you to check your system immediately. Press OK to start the process now...." Hitting OK did in fact start malware infection of the system. Going direct to the offending url did nothing.

[NyHick]

IPOWER has posted a message on Facebook.
http://www.facebook.com/notes/ipower/co ... 2975667484

Funny, they are blaming Wordpress for the issue and claiming that it's a script that is doing it to every site by accessing the wp-config.php file even though we are seeing the hack show up in Joomla! sites.

[marinzius]

Hi,

All my sites on IPOWER have been hacked...a javascript injection in the jml_content->introtext field.

I see they have put a notice that they have discovered the flaw and that nothing has to be done by us, but I have already spent like 10 hours deleting every line.

They are just an UNRELIABLE host...I'm transferring all my domains to another host.

I would honestly NOT recommend them to anyone...choose some other company otherwise you'll have plenty of headaches :(:( ...especially with the mail server...in 3 years it has never worked more than 5 weeks without problems...