Okay, so Surftown (or the sites actual owner), have finally cleaned the first site I reported (simple-tea.dk), but what about the rest?
At the time of writing this, there are hundreds of sites on 18.104.22.168/24 (Surftown IP range), and SurfTown whilst having been notified of this by myself, and others, have yet to do anything to either suspend or cleanup the sites, let alone prevent it happening to any of their other customers sites (I can say this because the friend that notified me of these in the first place, keeps finding more of them).
What does this mean? Well it means, if you're a SurfTown customer - you've got major problems, the first of which is your site/server has likely been compromised. The second of which, and most important - is your host apparently doesn't care, they're getting your money.
Given this, until SurfTown finally get their behind into gear, I'd very strongly urge you blackhole this /24, and if you've got a site hosted with Surftown - MOVE IT ELSEWHERE!.
At the time of writing, the redirects look like this (standard HTTP 302s);
Payload (inst.exe): http://22.214.171.124/index.php?TxNM5LE=dd004
The payload domain (in this case) is on well known crimeware ASN, AS48691 SPECIALIST-AS Specialist Ltd 126.96.36.199/22, Moldova.
The following is a list of sites currently identified.
SurfTown: Yet more compromised sites
SurfTown: When a parking page is not just a parking page