Welcome to the family.

We’ll be in touch soon.

GoDaddy Redirect Malware Alert

Posted on Wednesday December 21, 2022

THE ISSUE WITH GODADDY’S MALWARE

On December 19th, 2022, users started to report that pages are randomly linking to various explicit websites and other nefarious destinations. The most obvious culprit would be some form of Apache redirect malware, or other commonly used frameworks – possibly a new breed of WordPress redirect malware. As more and more reports started to flood in, and developers scratched their heads about what the issue could possibly be, a through-line started to emerge pointing to the hosting provider.


Due to the extremely elusive nature of this issue (one could potentially reload a webpage hundreds of times and not see it, while another user will get it on the first attempt), troubleshooting the issue is extremely difficult. By capturing HTTP header data when these elusive redirects happen, we’re able to get a better idea of what’s going on.

The HTTP header is sent with every request and response and passes additional metadata fields along to the server and client. These fields may include the referring website, cookies, and the field relevant to this malware, location. The location header field is mandatory in a redirect response and tells the client where the requested URL has moved.

By capturing the malicious redirect we were able to determine that this redirect was coming from the server and was not a malicious script running in the browser.

While the full list of destinations are unclear at this point; some of the sites we’ve seen redirects to include a site with “bonga” in the url as well as “bestfnnce” – we’ve obscured the full URL’s here for your protection. Another trend we observed was the string “H8BfdGPh” contained in the URL’s – though this value could very well be randomized and individual to a project. One common indicator was the inclusion of “DOM=” and “URI=” passed through as parameters in the redirect URL such as “http://evil-domain-dot-com/H8BfdGpH?DOM=your-domain.com&URI=%2findex.php“.

These examples should not be considered as an all inclusive list; they are simply what we have observed so far in affected websites- we simply haven’t seen the full scope of outcomes yet.

The issue has been identified as GoDaddy redirect malware and speculation has led to the suspected cause being compromised load balancers on GoDaddy Shared Hosting servers. As of December 21st, 2022, GoDaddy has updated their status page acknowledging the issue and are surely working around the clock to address it. To understand the implications, let’s take a quick look at what a load balancer on a server is responsible for.

THE SUSPECTED MALWARE CULPRIT – GODADDY LOAD BALANCERS

A load balancer is responsible for distributing incoming network requests across multiple servers in order to maximize performance. This is done by ensuring computational work is split across more than one server, and if a server goes down, it redirects traffic to the other servers to prevent downtime. A compromised load balancer can intercept these requests and redirect them from their intended location.

GoDaddy Malware Redirect Status as of December 21, 2022

THE EFFECTS

When dealing with redirect malware, the first instinct is to check the website server configuration. With the Apache web server, this would be in the .htaccess file. These would be immediately seen as out-of-place redirect or RewriteRule directives.

If the Apache configuration was ruled out as the source, the next step is to look for website files with injected redirect function calls. This code is often obfuscated with shell code or base64 encoding, but once decrypted would contain malware using the PHP header function to send a raw HTTP header, or in a JavaScript file containing a window.location.href assignment that would be executed in the browser.

HOW MALWARE COMPROMISES YOUR SEO & ONLINE AD CAMPAIGNS

In this instance the server files were clean, which could only mean the cause was within the shared host itself.
Another effect of this redirect malware is the potential for search engines to mark your website as unsafe. Search engines such as Google and Bing can crawl websites multiple times per day and are sophisticated enough to render web pages with JavaScript and CSS enabled. If the crawler notices it is being redirected to a malicious website, the website will be flagged and a warning message will appear so that users know the potential dangers ahead. This results in a significant drop in user visits, lower engagement, and mistrust among users. The search engine may even remove your website from the Search Engine Results Page, thereby destroying your organic search visibility. This could undo your hard work building rankings and take weeks or even months after your website is cleaned for Google to recognize that it is no longer compromised.

Malware associated with your website can also be extremely detrimental to your online advertising campaigns. Your ads will be immediately suspended if Google, Facebook, or any other online advertiser detects malware on your site. Your website will also be flagged and can even be blacklisted from using their platforms in the future.

WHAT TO DO IF YOUR GOOGLE ADS ACCOUNT WAS SUSPENDED FOR MALWARE

If your website is suspended due to malware, you will have to go through an appeals process to certify that your website no longer contains the malware the online advertiser initially flagged. Suspended accounts are barred from running any ads, so appealing these suspensions promptly is very important. It is critical to ensure your appeal includes a clear explanation of the issue, and steps taken to resolve it in order to expedite this process.

THE SOLUTION

Considering the obvious risks associated with the situation, we recommend immediate migration to a different hosting service until the issues are resolved, or temporarily disabling the website by way of DNS. The risks outlined above outweigh the inconvenience of your site being inaccessible; not to mention the additional resources and headaches involved with damage control around this unprecedented event.

This is the Madhouse experience. Rapid, simple, reliable solutions – but that’s just the tip of the iceberg.
We build strategically-driven, award-winning marketing campaigns that drive crazy amounts of traffic through beautifully navigable websites and apps supported by online ads, e-blasts, and insights drawn specific to your users. Everything’s tracked, measured, analyzed and refined to maximize engagement and drive conversions. No marketing dollar goes unaccounted for.

Let us take care of the technical stuff so you can focus on driving your business forward. Madhouse offers a full suite of digital services including:

  • Cutting-edge website and app development backed by award winning creative
  • Full marketing packages for virtual, in-person or hybrid applications
  • Consumer engagement campaigns via social and e-blasts to understand your customer, vice-versa.
  • Technical expertise and client support so when situations like this incident pop up, we have you covered.

I UNDERSTOOD SOME OF THOSE WORDS… BUT NOW WHAT?!

Luckily, our clients are covered with our complimentary emergency hosting service for situations just like this. We’ve proactively reached out to any clients who have opted to host their websites independently on GoDaddy, and provided a temporary server they can use until we’re satisfied that our clients’ sites are at no risk. Business as usual.


We love collaboration, responsiveness and transparency.

Let’s connect. 


ALL POSTS