The server hosting shii.org is hacked with a certain Trojan which is inserting malicious Javascript.

See these threads:
http://www.webhostingtalk.com/showthread.php?t=387710
http://www.programmingtalk.com/showthread.php?t=18289

--

Hi,

We are working on your issue and you will be updated shortly regarding this issue.

--

Hi,

We are able to access the domain without any problem in most browsers like IE, firefox, mozilla and opera. I am getting any virus threat on the page. Futher i have run trojan and virus scanner in the server and it deceted no trojans. Do check and update the status.

--

> We are able to access the domain without any problem in most browsers like IE, firefox, mozilla and opera. I am getting any virus threat on the page. Futher i have run trojan and virus scanner in the server and it deceted no trojans. Do check and update the status.

The Trojan does not appear every time you visit the site; it inserts
itself after the tag at random times, maybe 10% of total hits.
I don't see it most of the time, but once or twice. Other people have
seen it on my website, too:
http://forums.animesuki.com/showthread.php?t=26409&page=31

According to the webhostingtalk thread, the hack is performed by a
file called "flame.php" or "img.php", which runs an OpenSSL exploit.
The webhost itself need not be hacked-- just one of its users with a
weak FTP password. The attacker then runs
"http://weakly-passworded-website/flame.php" which executes the
exploit. Some of the admins in the thread tried things like rebooting,
disabling dl() in PHP, or disabling the execution of .so files.

--

Hi,

We are working on your issue. We are monitoring the server for trojan and you will updated shortly regarding this issue.

--

Sorry to interrupt, but it's been over a day now...

--


Hi,

We are investigating on this issue, Regarding this you will be updated shortly.

--

Hi,

Now we are able to access the domain with out any problem. So, Please do check and get back to us for any further assistance on this issue.

--



I have tried accessing the front page of my website through several
different proxies. Some of them are still showing the trojan (i.e.,
there is still a script calling "wxpel.js" or similar, which I didn't
put there). Please look into this, my website is small but I do not
like the idea of visitors getting hacked or getting virus warnings. If
this is the same variant I described, there ought toa be a file named
"flame.php" or "flame.so" in one of your clients' directories.

--

Hi,

We are investigating on this issue, Regarding this you will be updated shortly.

Cliffsnotes summary: My tech support is basically useless, and my poor visitors are getting Trojaned.

Does anyone have suggestions to deal with this, or is it time for me to abandon them and start moving over all my files and databases?