GoDaddy SEO Cloaking: Under The Condition of Donkey Porn

I can’t make this stuff up. I am leaving all of this cyber jabawaki behind me to pursue a career in Candadian pharma and internet pornography. Nahhh… but that does make for a great topic of discussion! Like this one.

If you actually follow my blog (all three of you) you may have read a post that I wrote just a few days ago, PenTester Pro Tip: Validating The TOE, which what resulted in this masterpiece.

Background

Yet again, on a pentesting engagement I came across a questionable domain that was clearly unrelated to my target’s industry, so I took the time to inspect it a little further. Long story short, the domain did not belong to my client, because they in fact provided an invalid IP address range. No harm no foul. However, when I ran a simple Google search on the domain name it returned some gnarly results.

Initial-Search-Result

Interesting… right? Maybe not to the uninitiated. I’ve seen this kind of thing before (– and No… I do not go searching the internet for donkey porn… except in this instance).

It appeared to me that what was going on here was a case of SEO cloaking. It is fairly simplistic. If you operate or have ever spun up an Apache web server you may be vaguely familiar with .htaccess, which allows for some additional configuration. The htaccess file can facilitate things like basic password protection, rewrites, and conditional redirects. Because htaccess can be used to redirect a web page or an entire site to whatever the destination is configured to, it is a very common target and the possibilities are endless.

In the case of SEO cloaking, the attack typically works by checking the Referrer header field in the HTTP request to see if the request originated from a search engine (Google, Bing, Yahoo, etc.) and then redirecting the victim site to a page of the attacker’s choosing. However, if you visit the site with the referrer parameter either unset or not meeting the above condition(s) then voila! You land on the correct site.

Essentially… this:

Wireshark-HTTP-Request

Results in this:

Wireshark-Export-Objects

A lovely chain of redirects. (Spare yourself the visit to www.toastedballs.com – I can ASSURE you that it is definite #NSFW.)

These are the contents of the conditional redirect page:


<html><head><meta http-equiv="refresh" content="0; url=http://1empiredirect.com/redirect?aff_id=4106&subid=pack445&at=1&tb=http%3A%2F%2F1empiredirect.com%2Fredirect%3Faff_id%3D4106%26subid%3Dpack445%26at%3D1%26tb%3Dhttp%253A%252F%252Fcdn.nezlobudnya.com%252Fdirectclick%252F%253Faid%253D33745%2526uid%253D2382&allowed=11002,11052,10799,9868,9050,8314,8316,8312,8318,10769,10797,10801,11104,11106,11108,11056,11054,10909,10907,10881,10879,10637,10635,10557,10555,11062,7629,8562,8402,8396"></head></html>

Now this is all great, but this is not the crux of this post. There have been plenty of people who have documented these types of attacks in detail and have provided detailed steps to recover.

This is where things get really interesting

Ok… so here is where I start searching for donkey porn. 🙁

Out of sheer curiosity I wanted to see if I queried the result title from google what would come back.

Google-Search-Results

Gross. There’s a lot of this out there.  10,800 results.

This wasn’t enough. I really wanted to determine what the root cause of this was, because in all likelihood it was the same attacker responsible for all of the affected sites in those search results. Upon starting this journey, I honestly believed that this was due to some horribly written WordPress plugin or an outdated version of Joomla. Not quite.

Scratching The Surface

To paint a better picture of what was going on, I wrote a python script that would run a Google search of that lovely query. For each result, the script would log the URL, then make an HTTP request with the referrer request header field unset and then again with it set to Google.com. It would then compare the content of both pages and detect if the redirect was present. I also wanted to collect some details regarding who the top hosting providers were. To do so, the script also grabbed the IP address of the server that the site was hosted on and then performed a reverse DNS lookup.

What I learned was completely unexpected. Since Google doesn’t like my script scraping all of the results (which is fine, I only wanted a decent sample set), I was able to collect ~200 addresses. Out of all of those addresses only 2 were NOT hosted on GoDaddy. The URLs in the search results that did not redirect were all pornographic.

Server-Listing
secureserver.net is GoDaddy (Redacted domains, IP addresses, server ID)

Peeling Back The Layers

So, I have all of these compromised sites (or servers rather). All of them follow the same redirect pattern.


1empiredirect.com 88.214.241.190
cdn.nezlobudnya.com 176.31.224.189 or hstraffa.com 88.214.197.35
#Landing Page - Everything from donkey porn to desperate cam girls

First thing is first. Since we are looking at some domains, let’s see if we get any info by performing a WHOIS lookup. Only one registration didn’t spring the $5.99 for the WHOIS privacy option.


Domain name: nezlobudnya.com
Registry Domain ID: 77428276_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.eranet.com
...

Registrant Name: Northrup Ivan
Registrant Organization: Ivan Wong
Registrant Street: str. Ivana Cupala 1
Registrant City: Moscow
Registrant Province/state: NV
Registrant Postal Code: 0000
Registrant Country: RU
Registrant Phone: +7.9248829112
Registrant Phone EXT:
Registrant Fax: +86.13800000000
Registrant Fax EXT:
Registrant Email: [email protected]

...

Admin Email: [email protected]

...

Tech Email: [email protected]

Looks like a bunch of fake details. However, the e-mail address is interesting. Let’s query threatcrowd.org

ThreatCrowd-Email
Our domain is in there along with some other “fine” specimens.

ThreatCrowd-1empiredirect

Let’s see what VirusTotal knows about this:

VT-CDN
Suspicious ayyy? Not enough to trigger any alarms.

VT-1EmpireDirect

You can literally do this all day. There is a rats nest of domains here.

History Repeats Itself

canadian-pharmacy-norx.com - all about pharmacy

Dancho Danchev published an excellent blog post, “GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware” in 2010 regarding a massive GoDaddy compromise. I stumbled upon this article while researching the email address that was obtained from the WHOIS record. There is only subtle mention of that email address in the post. This leads me to believe that his findings were only the beginning of a campaign or (some of) the earliest findings.

Denis Sinegubko, a senior malware researcher at Sucuri, also published a great write-up on malware attributed to the redirect. Interestingly enough, Denis’ analysis of the malware also revealed some additional domains. Two of which were present in the ThreatCrowd query on the suspicious email address


menotepoer.com
menyudnya.com

The rabbit hole definitely goes deeper. I will update this post as I find more, but one question stands out…

How does GoDaddy not know about this?

Now… it would be foolish of me to theorize something without having enough evidence to substantiate it, but based on my knowledge of call centers (and this is not just GoDaddy), support staff is very focused on the “fix” or bandaid and not the root cause or long term solution. At the end of the day, their job is to help as many customers as possible.

My feeling is that they are getting disparate calls from customers with the same problem, and since this is probably such a common occurrence, the correlation never took place. Theories – not facts.

1 Comment

  1. A Sad Webadmin says:

    Today I found this malware on a wordpress blog from a client, and it might one of the 2 you found outside godaddy, as the blog was moved from godaddy to another provider in mid 2016.

    Luckily none of their customers have reported seeing donkey porn on the website, but it’s not nice.

    The malware has an auto update, which I tried to trigged to see what other things it downloads, but didn’t manage to make it work.

Leave A Reply