Before providing the solution let me first describe you the issue.
Early this morning I received a request from a customer to check out his servers he suspected that these were hacked. He complained about a similar issues a couple of weeks ago when he suspected something was wrong with nginx, apparently visitors from US were redirected to a page containing malware.