Also, while all of my sites mysteriously had those *.php files in their root one day, I have not seen any ill effect on my sites. This may be because I’m on a Windows server (all of my sites are either .NET or static HTML).

I’ve been looking around in case I need to jump ship, and the best I’ve found (for us on the Microsoft side of the pond anyway) is Arvixe Web Hosting (http://www.arvixe.com). Anyone had any experience with them? They seem quite good – but I guess that’s what I thought of IX.

Erik

Lately, I have been getting better service from IX Tech Support. Perhaps they have realized that I won’t tolerate their endless excuses and apologies and have decided the only way to get me off of their back is to actually fix something instead of passing the blame. My site seems to be running a lot more stable this last few weeks, knock on wood…

I have found ONE great techie employed at IX Webhosting named Arthur Riskal. If you are unfortunate enough to have to contact IX Tech support, hopefully Arthur Riskal will be the one who happens to help you. He solved several IX related problems on my site that all other IX support staff continued to try to blame on my code. Arthur went above and beyond the call of duty to uncover and fix these long term problems. Right now, he is the only Techie at IX Webhosting that I trust to really help out…

I originally thought it was my FTP program until I noticed the dozens of sites not compromised, but I hadn’t been working on them. I didn’t upload or even open my FTP program and they got injected a few days later. I changed passwords and so far haven’t been reaffected.

This tells me a couple of things:
1) It isn’t likely a server issue since something running on the server doesn’t need your login info. A password change wouldn’t matter
2) My usernames and passwords were “sent somewhere” from my machine (the only place all of them could have been gotten), but only when I accessed the sites.

I also had a virus the week this happened, and suspect whatever this is got on my machine and started monitoring FTP accesses. So if this is actually what’s happening, changing webhosts won’t solve it as you’ll still be FTP-ing from the same infected machine.

If someone has changed webhosts and hasn’t had the problem since without changing their home machine I’d like to hear about it. It is possible that all 3 web hosts were hacked at the same time, although I think it’s unlikely. Especially since I saw a blog describing the same thing I am. Google “tmp_lkojfghx” to see what I mean. That’s how I got here.

Jade

Your site can be hacked even if you are doing everything correctly. As in the case with IX, I am fairly confident that the problem lies with the IX security. You can have the best secured site on the Internet, but if your Host’s servers are not secure, then your site security is worthless. You are at the mercy of your host’s security, so you really have to hope that they are on the ball too…

It’s not that difficult to write a utility that will allow you to upload a file from one server to another. If the destination folder permissions are set to 777, there is no impediment to uploading content to the folder. If file permissions are set to 666, there is nothing to prevent a hacker from writing to the file from one server to the next. If a hacker can upload a utility to a folder, then (s)he can use that utility to write to files and upload to folders where the permissions are set to 644 and 755. All they need to do is change permissions and make the changes. While they are at it, they can change ownership of everything to make it harder for you to undo what they have done…

And if you ever create a Virtual FTP Directory and give it full privileges, then that’s the same as opening up everything in that directory, including subfolders, to the world. So if you are forced to create a Virtual FTP Directory, when you are done using it, immediately delete it to resecure your site…

One thing I’ve never understood. I’ve always heard leaving a folder as 777 would allow anyone to upload to it. But how do you upload without an FTP password?

What is the most frustrating is figuring out how someone got access. I am using the most recent version of a popular shopping cart. All the folders are set to the correct permissions. It’s a real pain to figure out what happened. For now, I’m just going to monitor the file changes each day.