Update: This attack seems to be restricted to 123-reg: www.123-reg.co.uk
The last couple of days, we’ve been seeing a good number of sites hacked with a familiar pattern. All of them have a javascript loading malware (the famous fake AV) from:
http://meqashopperinfo.com/js.php
http://meqashoppercom.com/js.php
http://meqashopperonline.com/js.php
http://www4.in-scale-feed.in
This is very similar to the GoDaddy attack of a few weeks ago, but this time it’s affecting other hosting providers.
All the sites we’ve seen so far have the following code added to all PHP files:
eval(base64_decode("aWYoZnVuY3Rpb....
Here is the malware entry our scanner is detecting:
Note that the domain meqashopperinfo dot com (85.234.191.141, 95.211.2.55) is not blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.
What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber:
Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
usAdministrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us
The following script should clean up any infected site: https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net
Luke Leal
Denis Sinegubko
Justin Channell
Yuliyan Tsvetkov
John Castro
Art Martori
3 comments
Have been experiencing these Hilary Kneber attacks for a while now on my wordpress site hosted on 123-reg. Just had a quick browse on sites that I share a server with, and on first looks, it appears it’s only affecting wordpress sites. The sucuri script works a treat
My WP blog is hosted at mediatemple, and it was hacked today.
Comments are closed.