More attacks – Hilary Kneber and meqashoppecom – Part II

A few days ago we reported a large scale attack affecting WordPress sites at hosted on 123-reg servers. They were using the domains meqashopperinfo.com and meqashopperonline.ccom to spread the malware. You can read more about it here.

Today, we’re seeing a small variation of this attack. We’re continuing our research, but it seems the attack has spread to another host, and maybe more. The attackers are using meqashoppercom.com to spread the malware and the following javascript gets added to the affected sites (result from our scanner):

Malware is getting loaded from:

http://meqashoppercom.com/kb.php

http://77.78.240.233/index.php?xxx

All the sites we’ve seen so far have the following code added to all PHP files:

eval(base64_decode(“aWYoZnVuY3Rpb….

Here is the malware entry.

Note: The domain meqashoppercom.com (77.78.240.233, 77.78.239.53) IS NOT blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.

What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber:

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

The following script should clean up any infection: Sucuri Simple Cleanup Solution

Update 1: Also make sure to remove the file wp-content/wp-indexit.php, which is a backdoor used in this attack. For hosting companies, block the IP: 85.234.191.140


If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.