Weekly malware update. You can track all updates by following our malware_updates category.
*If your site has been affected with any of these issues, contact us at firstname.lastname@example.org or visit http://sucuri.net to get help or if you want to share some information with us.
nit-news.com + a.lobose.strangled.net
Another command and control (C&C) for blackhat SEO Spam. The attackers added the following code on the hacked sites:
Which contacts nit-news.com/domains.txt to get the web site to be used in the spam. It only displays the SEO Spam if the attempt comes from the Google range of IP addresses. Right now, the domain being used is a.lobose.strangled.net, but changes almost daily.
oooabterast0.co.cc and friends
Many of the hacked sites we dealt with this week had a new iframe added to the site by the attackers, then loaded malware from oooabterast0.co.cc and other sites. All of them ended up on .co.cc and were hosted at 18.104.22.168.
This is the list:
Most of the affected sites got hacked through stolen FTP/SSH credentials. According to Google, more than 800 sites got hacked with it.
That’s it for this week. If you have questions, email us at email@example.com or visit our site: http://sucuri.net