At first, I thought the attack was aimed at unpatched Wordpress sites, though my friend's site was fully patched and updated. As I pursued the patch, I started noticing that a highly disproportionate number of the hacked sites were hosted on the same Web hosting provider my friend's site lived on: namely, Dreamhost.
Dreamhost, as I observed later, seemed to be hosting quite a number of these hacked sites. And more worrying, the sites were generally fully patched, suggesting somesort of zero-day exploit against Dreamhost's Web hosting servers.
I made note of it, fired off some emails to Dreamhost's abuse team, and forgot about it.
Fast forward to today.
Today, I received a number of spam emails that used redirectors planted on hacked sites to redirect to a spam pharmacy page selling fake Viagra. More concerning, the site appeared to be attempting an exploit to download malware. It's an exploit I've seen before, often used to distribute the W32/ZeuS banking Trojan.
In the spam messages I received, the redirect file had the same name: "jbggle.html", So, curious, I did a Google search for sites with this filename in the URL and discovered quite a large number of hacked sites that redirect to the same spam pharmacy page:
*** WARNING *** WARNING *** WARNING ***
All these URLs are live as of the time of this writing. All of them will redirect you to a spam pharmacy Web site which may also attempt to download malware on your server.
And interestingly, ALL of these Web sites is hosted by Dreamhost. Every. Single. One.
I strongly recommend that people steer well clear of Dreamhost. I have not seen this level of compromised Web sites on a single server since the zero-day exploit against iPower Web several years ago.
Dreamhost's security team seems unwilling or unable to deal with this problem, which is quite disappointing for a large, mainstream Web hosting company.
Edited to add: Within minutes of this blog post going live, I received an email from Dreamhost's security team that they had started examining the sites on their servers to remove these redirectors. It is not clear from the email whether or not they have identified the exploit being used to plant them, or indeed intend to do so.