More attacks – Hilary Kneber and

For the last couple of days, we’ve been seeing a good number of sites hacked with a familiar pattern. All of them have a javascript loading malware (the famous fake AV) from:

This is very similar to the GoDaddy attack of a few weeks ago, but this time it’s affecting other hosting providers.

All the sites we’ve seen so far have the following code added to all PHP files:


What is interesting is that this site is hosted at, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related (even though this domain wasn’t registered in their name)

Note that the domain myblindstudioinfoonline dot com is not blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.

The following script should clean up any infected site:

If you need help cleaning up your site, contact us at or at

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.