Weekly Malware Update – 2010/Feb/11

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

Pharma / Blackhat SEO Spam by stat-tracker.info and others

We are tracking a large number of web sites that got hacked and are redirecting users to pharmacy-related domains. All the sites had the following code added to their PHP files:

Which basically redirect the user if they came from a search engine. Domains used in these attacks (among many others):

stat-tracker.info
listita.info
babbyboom.ru
startds.net
agency-translation.com
bbt-tv.ru
dl.newsite.in

They just act as an intermediary before sending the user to sites like http://centerpills.com/ and similar (to buy fake pharmacy related products).

For hosting providers, I recommend blocking the following IP addresses: 178.238.134.8, 194.28.172.37 and 88.198.16.186.

All the sites infected had old/ vulnerable versions of web applications running. So make sure to keep your sites updated!


To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.