More Hijinks at PowWeb

Looks like someone practiced some root fu over the weekend at powweb. First I got a comment from someone finding this blog via Google. He/she discovered a tgp.la link in their website hosted at powweb. I assumed that was just an old infection from when that happened last April. At that time, some server exploit added an iframe for that domain into many user’s websites. POWWeb chose not to clean their users websites of the iframe link to tgp.la, much less notify the users of the problem. Although several of us had worked to knock tgp.la offline last April, it was always possible for the bad guys to re-register that domain and get back in business. Sadly tgp.la is alive again causing some websites on powweb webservers to inadvertently serve up viruses.
Some would like to claim that the individual users sites were all hacked (certainly the more likely option). We looked into that last April and there was no commonly vulnerable system. Some people had only static HTML with strong ftp passwords. This was clearly a server level hack.
But this wasn’t the only problem at powweb this weekend. The default 404 page was apparently hijacked on cluster 2. Meaning all websites housed on this cluster would serve a virus if a file was not found on their site. The discussion thread for this is here, assuming it has not been deleted.
To avoid 404 page hijackings, I encourage everyone hosted on an Apache server to implement their own 404 redirect so they are not reliant on their web-host. Instruction for doing this are provided by extras here.
Really, powweb is a great webhost. Things like this are going to happen in a shared environment. A lot of places wouldn’t have the forums to find out what is going on.
Good luck, and safe computing.