Quick malware update: The site ssl-verification.net (nice name) is being used to distribute SEO spam and malware (the famous fake AV). We recently wrote about the domain ssl-validation, but it seems that they disabled it and are using ssl-verification instead now.
All the infected sites so far had an encoded piece of PHP code inside their index.php or footer.php (if using WordPress) and a backdoor inside a random PHP file. We found the backdoor and by the analyzing logs, we could find the C&C IP address: 126.96.36.199.
188.8.131.52 – – [20/Oct/2010:03:35:21 -0700] “GET /img/readthat.php HTTP/1.1″ 200 11204 “http://phlks.com/doors/check_all.pl?5″ “Opera/9.80 (Macintosh; Intel Mac OS X; U; ru) Presto/2.2.15 Version/10.10″
What is interesting is that it seems the attackers are using http://phlks.com/doors/check_all.pl to manage their network of infected sites and according to Google, they have more than 4k sites under their control.
The malicious site is hosted at 184.108.40.206, so suggestion for hosting companies: Block this IP.
Having issues with malware? Sign up at http://sucuri.net and we will get it all sorted out.