More attacks – Hilary Kneber and insomniaboldinfocom.com

For the last couple of days, we’ve been seeing a good number of sites hacked with a familiar pattern. All of them have a javascript loading malware (the famous fake AV) from:

http://insomniaboldinfocom.com/mm.php

http://insomniaboldinfonet.com/mm.php

http://www3.large-defense1.in

This is very similar to the GoDaddy attack of a few weeks ago, but this time it’s affecting other hosting providers.

All the sites we’ve seen so far have the following code added to all PHP files:

eval(base64_decode("aWYoZnVuY3Rpb....

What is interesting is that this site is hosted at 77.78.239.53, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related (even though this domain wasn’t registered in their name)

myblindstudioinfoonline.com
meqashoppercom.com
insomniaboldinfocom.com

Note that the domain myblindstudioinfoonline dot com is not blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.

The following script should clean up any infected site: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html


If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.