Friday, February 3, 2012

DreamHost: hijacked websites redirect to Russian scam

Following the Dreamhost hack, that was revealed this week, many websites hosted by the company have been hijacked to redirect users to a Russian scam page.

I've identified hundreds of websites hosted by DreamHost that contained a PHP page redirecting to hxxp://www.otvetvam.com/. Here are a few examples:
  • http://www.lciva.com/wp-content/plugins/extended-comment-options/gyrewnv.php
  • http://honorboundphoto.net/photos/10007-mankato_habitat_for_humanity_golf_tournament/agtruje.php
  • http://ryanmasters.ca/wp-content/gallery/our-kingdom/thumbs/tyiueg.php
  • http://treatmentofpanicattacks.com/wp-content/cache/supercache/www.treatmentofpanicattacks.com/category/anxiety-support/polzin.php
  • http://r4theband.co.uk/content/wp-content/themes/agregado/includes/cache/gyrewnv.php 
  • http://dedehaluk.com/cache/hakkinda/fgjke.php
  • http://www.agustindondo.co.uk/yellowbrick/wp-content/files_flutter/modules/fgjke.php 
  • http://dcstavclub.org/wp-content/themes/newzen_2.0_build_105/images/fgndnju.php 
  • http://camtarn.org/gizmoblog/content/06/03/entry060305-180312/comments/fgjke.php 
  • http://derek.hinchy.org/MT-5.031-en/mt-static/support/theme_static/professional_website/themes/professional-green/polzin.php
  • http://ojosdelmundo.dreamhosters.com/images/comprofiler/gallery/tghreig.php

otvetvam.com promotes a common "get rich working from home" scam. On the left side, all links point to the same collection of fake testimonies from people purporting to have made plenty of money using the system.


hxxp://www.otvetvam.com/
The right side of the page, looks like Adsense ads from Google (same font, same colors, layout, etc.), but they are all links to www.tvoitube.com. This is a YouTube look-alike site, which contains a video shown promoting an online gambling site (www.cristal-casino.com).

Fake Russian YouTube site http://www.tvoitube.com/

www.otvetvam.com copied the layout of the popular Russian site, mail.ru. The source code actually reveals that the page was created from http://otvet.mail.ru/question/59882991/, which has now been blocked by mail.ru.


The hijacked sites now redirect to other websites including ru-0tveti.com, ru-0tveti1.com, etc. These domains were registered on 01/25/2012, but no websites are yet hosted at the domains.

I'm sure this is just the beginning of massive abuses on websites hosted by DreamHost.

3 comments:

A Person said...

A lot of those appear to be wordpress sites. How can you be sure these aren't just due to a vulnerability in an unpatched install of wordpress or its plugins?

Julien Sobrier said...

@A Person: all of the sites were on Dreamhost, not on any other provider. Some are not running Wordpress: http://foto-franzschweizer.ch/ runs Joomla!, http://w47films.com/ is a static site, etc.

Jeremy Hanmer said...

Hi Julien, As we mentioned in our email to you this morning, we wanted to make it clear that there is no evidence that the security breach we announced in January is related to the redirects you mention above. In fact, we have not found a single confirmed case of any suspicious login activity stemming from the breach - which we caught very early the day it happened.

The more important reality here, as security experts have suggested, is that there is an ongoing fight against criminal organizations who exploit individual web sites that don't keep security software up to date. The most effective way people can combat this criminal element is by simply keeping the security software up to date on their web site. DreamHost also provides every customer with available (and free!) proactive security filtering and monitoring via mod_security. We also have a scanning system that we automatically run on any customer who fears they may have been the victim of a hack and submit a support ticket. With this, we're able to help most customers secure their sites within minutes of them alerting us. At DreamHost, we prevent around 50,000 attacks every day from hitting customer websites - but there is always more to do.