More attacks – Hilary Kneber and meqashopperinfo.com

Update: This attack seems to be restricted to 123-reg: www.123-reg.co.uk

The last couple of days, we’ve been seeing a good number of sites hacked with a familiar pattern. All of them have a javascript loading malware (the famous fake AV) from:

http://meqashopperinfo.com/js.php
http://meqashoppercom.com/js.php
http://meqashopperonline.com/js.php
http://www4.in-scale-feed.in

This is very similar to the GoDaddy attack of a few weeks ago, but this time it’s affecting other hosting providers.

All the sites we’ve seen so far have the following code added to all PHP files:


eval(base64_decode("aWYoZnVuY3Rpb....

Here is the malware entry our scanner is detecting:
Scan results

Note that the domain meqashopperinfo dot com (85.234.191.141, 95.211.2.55) is not blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.

What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber:

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

The following script should clean up any infected site: https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html


If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net

3 comments
  1. Have been experiencing these Hilary Kneber attacks for a while now on my wordpress site hosted on 123-reg. Just had a quick browse on sites that I share a server with, and on first looks, it appears it’s only affecting wordpress sites. The sucuri script works a treat

Comments are closed.

You May Also Like