I did something very interesting the other day and forgot to mention it. I did a google search for key words "yahoo counter starts" and found about a bazillion results of web sites that actually had the code injected in their pages still.

I did a WHOIS on 50 of them, and 47 were hosted by Ecommerce Corporation which is IX Webhosting. Am i wrong but does it seem like there is indeed something up with IX webhosting? Why would so many of their customers have this problem? I'm not the brightest bulb in the chandelier but i cant figure out how to pick a particular web host company and target their customers. Further evidence to suggest that IX has / had some sort of security issue on the back end?

This is from http://blog.kansaslife.net encase you have found bits and pieces of this blog on cached and no longer working pages floating around the internet. (im seeing a lot of them lately)

Just a small update. I still haven't talked to anyone that knows for sure how this injected code got in to our directorys, or databases (on the web servers). Just be sure to change your FTP passwords and stay on your host (especially IX webhosting) until this thing passes.

Another small note, i found this injected code in about 75 of my plain HTML pages on my server (which was most of them). I checked my permissions on the directory's and files and they were all ok so that was not the point of entry as far as mine goes.

Iv been checking daily for more injected code but since i started with a fresh database and files, and changed my FTP passwords and yelled at IX webhosting repeatedly about this, i haven't seen any. Also something to be aware of, if you use your Cpanel to access webshell, phpMyAdmin etc, at least with IX webhosting you get a warning that though the connection is encrypted, that the info your getting ready to send is not encrypted and that it can be easily read by a 3rd party. This obviously could be a way for someone to capture your passwords so beware if that's how your control panel works.

http://kansaslife.net/captures/20081231-33t-44kb.jpg