Yet another series of attacks – This time using

Update 1: It seems that this attack is limited to only Bluehost and Dreamhost, not GoDaddy like in the previous times.
Update 2: This script should fix/clean an infected site: site fix.php
Update 3: Attackers are using and as well.

We’re tracking another series of attacks affecting many web sites (WordPress seems to be the target application so far). This time they’re using as the attacking site and adding the following javascript to the web sites:

<script src=""></script>

<script src="

This code then loads another javascript from attempting to push the “Fake Anti virus” virus to the visitor of the site.

What is interesting is the people behind this attack. Do you remember the losotrana attack amongst the various others we’ve discussed in the past few months? Well, the people involved in this one are the same. Check out the WHOIS contact info for

Domain name:

Registrant Contact:
HardSoft, inc
Hilary Kneber
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947

It’s the same that registered, and others. We’re still researching the exploit vector, and we’ll post more details when we have them.

If you’re having difficulties getting your site cleaned up, send us an email to or visit our site: We can get your sites clean up right away.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.