In the past few days a lot of websites hosted on GoDaddy servers were discovered as being exploited by unknown hackers.
Sucuri Research blog informs us that their scanners discovered a lot of sites injected with a conditional redirection to a malware containing address.
The attackers took over the .htaccess files and modified them in order to redirect all visitors to a place called sokoloperkovuskeci.com.
.htaccess is a file stored on the host along with the website and it normally contains access related settings, redirects and such. Webmasters often use it to make sure their webpages are seenproperly by search engines. In this case, the hackers took advantage of some of these features.
An entry was added to the end of the file that verifies if the visitor is accessing the site from a search engine. As seen in the printscreen provided by Sucuri, all the major search engines are named, including Google, Bing, Live, AoL and Altavista. When one of these is detected, the user is redirected to the malicious place mentioned before(sokoloperkovuskeci.com).
According to CNET, GoDaddy, which hosts around 5 million accounts, released a statement claiming that “”Wednesday, Go Daddy’s Security Team detected that approximately 445 hosting accounts were compromised.”
It seems as the hacks occurred after usernames and passwords were phished from owners.
“We are still investigating the issue, but so far our security team is confirming this was not an infrastructure breakdown and should not impact additional customers,” stated Todd Redfoot, chief information security officer at Go Daddy
While the attacked sites didn’t appear to be from a certain category, the GoDaddy representative revealed that he didn’t know precisely what type of malware was involved in the issue.
“We quickly removed the malicious code and went to work to assist each of our customers to address the issue.”