And what is really weird is that if I make my .htaccess empty, it would redirect the those referred link directly to .ru site again.

I contacted Godaddy several times with their online support and all I get is generic support. It seems as if the shared hosting server that I’m on is infected. I have requested FTP log and there isn’t any log during the time the file was changed

What other file could cause the site to redirect other than the .htacess? I have removed all files in the root directory and leave with just one index.php file. It still redirect me to outside server if I change my .htaccess file to blank.

alienradar. ru/ keystroke.js

not alienware. ru

my mistake- sorry

no subdomains

addonrock. ru/ keystroke.js
alienware. ru/ keystroke.js

they changed all *.js, all *.php, all *.htm files with this script

websites which were infected were hosted by 1and1 in Germany (1und1.de)

Again, each of them point to 5 different IPs where they set up reverse proxies


pantscow .ru. 78 IN A 94.23.34.93
pantscow .ru. 78 IN A 87.98.136.164
pantscow .ru. 78 IN A 94.23.231.140
pantscow .ru. 78 IN A 94.23.240.219
pantscow .ru. 78 IN A 91.121.184.181


hxxp://pansolo .ru/Web_Host.js

hxxp://greatrow .ru/End_User.js

hxxp://nuttypiano .com/LAN.js
nuttypiano .com. 66 IN A 91.121.61.207
nuttypiano .com. 66 IN A 91.121.135.109
nuttypiano .com. 66 IN A 94.32.66.150
nuttypiano .com. 66 IN A 213.165.91.101
nuttypiano .com. 66 IN A 82.103.129.152

hxxp://addonrock .ru/Emulation.js
addonrock .ru. 83 IN A 212.57.179.29
addonrock .ru. 83 IN A 66.241.102.159
addonrock .ru. 83 IN A 66.241.102.166
addonrock .ru. 83 IN A 85.90.233.171
addonrock .ru. 83 IN A 89.39.203.134

hxxp://subbell .ru/LIFO.js
subbell .ru. 432 IN A 94.23.202.33
subbell .ru. 432 IN A 109.168.126.54
subbell .ru. 432 IN A 195.2.139.31
subbell .ru. 432 IN A 88.191.96.7
subbell .ru. 432 IN A 88.208.234.222

idealdesk .ru. 432 IN A 94.23.60.106
idealdesk .ru. 432 IN A 178.32.5.232
idealdesk .ru. 432 IN A 188.165.192.106
idealdesk .ru. 432 IN A 91.121.96.212
idealdesk .ru. 432 IN A 94.23.24.90

farbaby .ru. 432 IN A 88.191.96.7
farbaby .ru. 432 IN A 88.208.234.222
farbaby .ru. 432 IN A 94.23.202.33
farbaby .ru. 432 IN A 109.168.126.54
farbaby .ru. 432 IN A 195.2.139.31

hxxp://dullplane .ru/Webmaster.js
dullplane .ru. 344 IN A 94.23.202.33
dullplane .ru. 344 IN A 216.66.78.137
dullplane .ru. 344 IN A 88.191.96.7
dullplane .ru. 344 IN A 88.208.234.222
dullplane .ru. 344 IN A 93.157.232.64

hxxp://youngarea .ru/AGP.js
youngarea .ru. 395 IN A 88.191.96.7
youngarea .ru. 395 IN A 88.208.234.222
youngarea .ru. 395 IN A 93.157.232.64
youngarea .ru. 395 IN A 94.23.202.33
youngarea .ru. 395 IN A 216.66.78.137

hxxp://hugejar .com:8080/Bandwidth.js
hxxp://trapbarf .ru/IM.js

hxxp://shelfmurder .ru/QWERTY.js
hxxp://cutboss .ru/RADCAB.js

hxxp://riotassistance .ru/Template.js
riotassistance.ru. 395 IN A 217.195.160.74
riotassistance .ru. 395 IN A 77.37.21.166
riotassistance .ru. 395 IN A 77.235.44.94
riotassistance .ru. 395 IN A 88.191.47.83
riotassistance .ru. 395 IN A 93.157.232.64

hxxp://pocketbloke .ru/Tebibyte.js
pocketbloke .ru. 344 IN A 77.235.44.94
pocketbloke .ru. 344 IN A 88.191.47.83
pocketbloke .ru. 344 IN A 93.157.232.64
pocketbloke .ru. 344 IN A 217.195.160.74
pocketbloke .ru. 344 IN A 77.37.21.166

hxxp://hairyartist .ru/JPEG.js
hairyartist .ru. 432 IN A 97.107.132.41
hairyartist .ru. 432 IN A 188.40.58.19
hairyartist .ru. 432 IN A 85.120.34.244
hairyartist .ru. 432 IN A 88.191.47.83
hairyartist .ru. 432 IN A 89.19.5.116

hxxp://obscurewax .ru/Scroll_Wheel.js

obscurewax .ru. 388 IN A 217.151.230.10
obscurewax .ru. 388 IN A 188.40.58.19
obscurewax .ru. 388 IN A 88.191.47.83
obscurewax .ru. 388 IN A 85.120.34.244
obscurewax .ru. 388 IN A 212.176.115.141


Another variant: hxxp://roundstorm .com:8080/Megabyte.js

roundstorm .com. 432 IN A 91.121.162.65
roundstorm .com. 432 IN A 194.24.228.81
roundstorm .com. 432 IN A 213.175.207.140
roundstorm .com. 432 IN A 62.212.132.226
roundstorm .com. 432 IN A 88.84.145.36


serfinworld.com. 900 IN A 201.233.32.161
serfinworld.com. 900 IN A 71.205.41.75
serfinworld.com. 900 IN A 70.66.77.227
serfinworld.com. 900 IN A 173.30.189.230
serfinworld.com. 900 IN A 71.192.136.228

profincorp.com. 900 IN A 71.192.136.228
profincorp.com. 900 IN A 70.66.77.227
profincorp.com. 900 IN A 173.30.189.230
profincorp.com. 900 IN A 201.233.32.161
profincorp.com. 900 IN A 71.205.41.75

diseasednoodle.ru. 432 IN A 91.121.188.123
diseasednoodle.ru. 432 IN A 188.165.95.133
diseasednoodle.ru. 432 IN A 188.165.212.54
diseasednoodle.ru. 432 IN A 87.98.147.134
diseasednoodle.ru. 432 IN A 91.121.108.61

hxxp://pantscow .ru:8080/OASIS.js

(no subdomain here!)

The infected site was not hosted by GoDaddy this time, but by a company named realhosting.nl. After changing the FTP password the site was infected again, so i guess someone found an exploit to gain access to their servers as well. I informed the hosting provider…

This seems to be part this injection

http://www.sophos.com/blogs/sophoslabs/?p=10417

pob

blog.locatejobs .org:8080/File.js
dodo.busop .info:8080/Emoticon.js
adoffy.alltuckedinathome .com:8080/LED.js
dolgo.lulucabana .com:8080/Data.js
soaoo.blog-salopes .com:8080/Access_Point.js
asol.vmtechsolutions .biz:8080/File.js
sokyoss.drelshazly .com:8080/E-commerce.js
questtore.hermosayasociados .com:8080/Base_Station.js
solk.seamscreative .info:8080/Undo.js
sfofotky.iexam .info:8080/ODBC.js
kolpo.gunterschaub .com:8080/Keywords.js
dolfy.sedonahyperbarics .com:8080/File.js
golaogp.islamicweightloss .com:8080/Real-Time.js
asoosp.acilalisveris .com:8080/OASIS.js
assol.metro-trading .net:8080/Link.js
blog.nodisposable .com:8080/URL.js
sogpaoiy.the-mlmpowercall .com/Zettabyte.js

And I still think that it was a phishing attack that helped criminals get access to certain domains’ DNS records. There are many known GoDaddy phishing attacks (mainly via email spam).

If it was some exploitable security hole in GoDaddy’s domain management service, I’m afraid, we would have seed much more hijacked subdomains and altogether stolen domain names.