Yet another series of attacks (part X) – and the hilarykneber group

If you have been following our blog long, you probably heard about quite a few large scale attacks affecting many hosting companies: GoDaddy, Bluehost, Dreamhost, etc, etc.

The new one that started to spread today uses a javascript file pointing to When called, it will load and then offer the famous “fake AV” virus to the end user of a site. That’s how it looks like in a site:

< script src ="

Or in our scanner (blueh2):

Read More

Bluehost Talks Down Malware Percentages – Offers Sucuri a Forum Ban

On Sunday we reported that a number of sites hosted by Bluehost had been hacked (including their CEO’s blog).

On Monday while browsing through some of their forums, we noticed a thread regarding the exploit with remarks from forum moderators and administrators to curious customers that didn’t quite make sense.

#1 from one moderator:

Since such a negligible percentage of Bluehost sites were hacked it is just about guaranteed that it is an individual script issue rather than anything more widespread.

If it were something other than individual scripts being vulnerable then a lot more than 0.00006% of accounts would be affected.

It would be interesting to learn what Bluehost considers a negligible percentage for something like this. We’re also curious to learn more about how the .00006 percentage was determined. More on the numbers we calculated included below.

Read More