Let's cut short the story...
After some investigation I notice that the site is infected with "RedKit exploit kit / BlackHole Exploit Kit"
So what I did is get all the domain that hosted under "sphinx" / 220.127.116.11 server and did some scan and even others site that hosted under exabytes was infected. (see below for some list of infected site)
So is the hackers upload the exploit to my files or ?
It will inject something like this :
and it will appear randomly inside any .js files and even .php and even .html files (I can't even find it in the source code ) also I checked my .js file is CHMOD to 644 not 777. I assume it inject the malware code on the fly and then sent to user.
Did a scan on http://sitecheck.sucuri.net/scanner/ too, a warning will come out.
and this BlackHole Exploit is clever it will not show to some user, but you can use some of the site like http://www.webpagetest.org or http://jsunpack.jeek.org/joomla/ to check using different location and browser.
The Source Code Of The Target (malware) Site
http://pastebin.com/sCBNJih5 (Found on my site)
http://pastebin.com/nPU1WCDV (Unknow User Posted This)
Google "Blackhole exploit kit"
NOTE: I DID NOT SAY Exabytes got hacked or what. I just cant figure out why some others site that hosted under the same IP got infected as well :
What they tell me is that :
Here's the list of website under the same IP : (Please look at the IP or .tk domain for the malware)
and there's more!
Exabytes is really slow in replying my tickets
This post has been edited by xDragonZ: Jul 19 2012, 08:49 PM