Host4africa Mass Compromise

We are seeing a lot of sites hosted at host4africa.com compromised with Blackhat Spam SEO. Most of them are in the .co.za TLD (at 74.53.0.0/16 and 74.54.0.0/16) and have hidden links to generic drugs (common Pharma Spam).

When you on click on links added to the compromised sites you are redirected to a Pharma page, like this one:

The number of sites compromised is pretty large. Here are some we identified on one site:

http://www.westcoastestate.co.za/slideshow/us.php?fd=13
http://www.cmrprojects.co.za/Docs_TPMS/protect.php?norx=14
http://www.blaauwpoort.co.za/logs/index.php?oem=11
http://www.artbymentz.co.za/_private/index.php?sf=14
http://www.newhanover.co.za/_vti_cnf/uk.php?rf=13
http://www.room-to-grow.co.za/wp-content/us.php?qw=18
http://www.kinx.co.za/forms/protect.php?med=13
http://www.vryheidbusiness.co.za/css/protect.php?med=18
http://www.propertymanagementservices.co.za/plesk-stat/protect.php?oem=10
http://www.lingoproz.co.za/images/uk.php?norx=12
http://www.newhanover.co.za/_vti_cnf/uk.php?rf=14
http://www.autobinary.co.za/picture_library/uk.php?we=13
http://www.castlepools.co.za/gallery/g2data/protect.php?fgd=14
http://www.westcoastestate.co.za/slideshow/us.php?fd=15
http://www.buysmart.co.za/products/protect.php?we=8
http://www.promatix.co.za/stylesheet/index.php?sf=9
http://www.blaauwpoort.co.za/logs/index.php?oem=9
http://www.buysmart.co.za/products/protect.php?we=9
http://www.adventureactivities.co.za/library/index.php?qw=14
http://www.nac-fontainebleau.co.za/components/uk.php?fgd=14
http://www.nac-fontainebleau.co.za/components/uk.php?fgd=15
http://www.dinamika.co.za/Figure/index.php?fgd=16
http://prosoccer.co.za/shop/images/us.php?med=10
http://www.ulrichsuesse.co.za/css/index.php?fd=9
http://www.emetministries.co.za/media/uk.php?med=12
http://www.quadaddict.co.za/acatalog/index.php?we=16
http://www.blaauwpoort.co.za/logs/index.php?oem=13
http://prosoccer.co.za/shop/images/us.php?med=13
http://www.hotelpro.co.za/videos/uk.php?med=10
http://www.dinamika.co.za/Figure/index.php?fgd=17
http://www.ljddesign.co.za/_notes/page.php?fgd=12
http://www.nac-fontainebleau.co.za/components/uk.php?fgd=17
http://www.andnow.co.za/ss2/uk.php?fd=16
http://www.andretrollip.co.za/language/index.php?we=14
http://www.scottburghproperty.co.za/property/photos/page.php?aa=18
http://www.autobinary.co.za/picture_library/uk.php?we=14
http://prosoccer.co.za/shop/images/us.php?med=14
http://www.room-to-grow.co.za/wp-content/us.php?qw=16
http://www.ariadne.co.za/images/protect.php?med=11
http://www.castlepools.co.za/gallery/g2data/protect.php?fgd=12
http://www.smokersjoy.co.za/products_pictures/us.php?aa=13
http://www.lpe.co.za/plesk-stat/uk.php?rf=17
http://www.hospiceeastrand.co.za/picture_library/uk.php?rf=14
http://www.lingoproz.co.za/images/uk.php?norx=11
http://www.craftynook.co.za/wcmd2010/page.php?rf=14
http://www.propertyforsalesa.co.za/picture_library/protect.php?rf=16
http://www.theview45.co.za/images/3prov/thumbs/protect.php?norx=12
http://www.benchesdirect.co.za/Scripts/page.php?aa=10
http://www.spadirectory.co.za/images/uk.php?oem=11
http://www.smartdobermann.co.za/fotoalbum/us.php?fd=17
http://www.andnow.co.za/ss2/uk.php?fd=17
http://www.sandplay.co.za/sandplaywork/wpimages/uk.php?qw=13
http://www.bigswing.co.za/topmenuscript/_vti_cnf/index.php?rf=13
http://www.propertymanagementservices.co.za/plesk-stat/protect.php?oem=11
http://www.promatix.co.za/stylesheet/index.php?sf=8
http://www.anmari.co.za/content/us.php?norx=17
http://www.orblife.co.za/orbcms/page.php?fd=10
http://www.benchesdirect.co.za/Scripts/page.php?aa=11
http://www.lingoproz.co.za/images/uk.php?norx=14
http://www.orblife.co.za/orbcms/page.php?fd=12
http://www.rhythmethod.co.za/images/protect.php?qw=13
http://www.tellefallstrails.co.za/wp-content/protect.php?med=17
http://www.christieclark.co.za/gallery/include/uk.php?qw=12
http://www.smartdobermann.co.za/fotoalbum/us.php?fd=16
http://www.christieclark.co.za/gallery/include/uk.php?qw=16
http://www.aerostratus.co.za/plesk-stat/uk.php?oem=13
http://www.thewindycity.co.za/wp-content/uploads/us.php?qw=15
http://www.bigswing.co.za/topmenuscript/_vti_cnf/index.php?rf=12
http://www.craftynook.co.za/wcmd2010/page.php?rf=18
http://www.gentlebirth.co.za/wp-content/themes/page.php?oem=12
http://www.casawcf.co.za/_themes/blank/_vti_cnf/page.php?rf=13
http://www.studio68.co.za/wordpress/page.php?sf=13
http://www.amablom.co.za/Images/uk.php?rf=15
http://www.emetministries.co.za/media/uk.php?med=15
http://www.quadaddict.co.za/acatalog/index.php?we=18
http://www.celluvibez.co.za/userfiles/index.php?we=15
http://www.thewindycity.co.za/wp-content/uploads/us.php?qw=18
http://www.scottburghproperty.co.za/property/photos/page.php?aa=15

As you can see, the spam is hidden in sub-directories for various types of sites (plain HTML, WordPress, Joomla, etc). It leads us to believe that this is a hosting compromise.

Are you hosting here? Having any malware or spam issues? You can try our free scanner to test: http://sitecheck.sucuri.net.