Here we go again

by Duf Anything and Everything

About a year or so ago I was having terrible issues with my content getting hacked.  I would contact my web host and they would repeatedly point the finger back at me, saying that my local workstation had to be at fault, the victim of a keylogger or some other malicious program.  I keep my workstations pretty secure so I knew this was very unlikely.

Regardless I still verified that my computers were clean, they were.  This process repeated many times with the end result of IX shrugging their shoulders and again pointing at me as the source of the problem.

Well finally IX decided to actually look internally.  It turns out that a number of their servers had been compromised, allowing hackers free reign to compromise their customers data.  They finally had to admit that the problem was actually theirs. The internet was filled with IX customers complaining of similar compromises to their sites.

Since that revelation things with IX have been running smoothly.  I have had no hacks on my content, until recently.  Once again the target of choice was my blog.  You all can remember a couple weeks ago how Ali’s PC got infected after loading my blog and all of the subsequent bullshit that ensued as a result. 

I never was able to definitively tell what happened to cause the hack but changing my theme for the blog seemed to address the compromise.    Well once again I noticed a PDF trying to load when viewing the blog.  I ftp into my content and see 3 files that were modified yesterday afternoon.  I was not in the site yesterday.  When I opened the files I saw that a line was added to load a hidden IFRAME designed to redirect people to a shady site.

I deleted the shit code and then immediately changed any passwords that could have given access to the site, although the current passwords were strong and unlikely to be cracked. Iframe injection can occur without the hacker having any ftp access.

I contacted IX about the hack.  The first time it happened I figured it could be an isolated incident, to happen again so quickly is not a coincidence.  The tech sounded concerned and knowledgeable.  He said he would run a clean script, restore the modified files and send me info on how to limit the IP addresses that have the ability to ftp to my content, great.

Well instead I basically get a form letter from IX.  There is no mention of restoring my files nor any info regarding FTP restrictions.  Instead it again focuses on pointing the finger back at me, saying that I could have had a keylogger installed, scan my machine, blah, blah,blah.

This pisses me off, especially when you consider IX’s history.  When I was talking to the guy on the phone I suggested the possibility of a server compromise like before.  He said that if it was the case they would be inundated with calls.  I said “funny, that is the exact same thing you guys told me before, yet the server WAS compromised”

So I fixed the tainted files and everything should be fine once again. However I will be watching very closely.  If IX has once again allowed their servers to be compromised there will be major hell to pay.