This is very similar to the GoDaddy attack of a few weeks ago, but this time it’s affecting other hosting providers.
All the sites we’ve seen so far have the following code added to all PHP files:
What is interesting is that this site is hosted at 22.214.171.124, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related (even though this domain wasn’t registered in their name)
Note that the domain myblindstudioinfoonline dot com is not blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.
The following script should clean up any infected site: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
If you need help cleaning up your site, contact us at email@example.com or at http://sucuri.net