We will be posting some quick malware updates on our blog from now on. The latest one that is affecting quite a few sites are malicious javascripts being injected directly into the wp-posts table on WordPress sites. Those are the domains being used:
http://aeaaea.com/ou
http://secree.com/re
http://uoauer.com/si
http://oeooea.com/ve
http://secowo.com/wo
Those were used in the first batch of attacks that happened a few weeks (months) ago:
http://ae.awaue.com
http://ie.eracou.com
http://ao.euuaw.com
Details about the malware:
http://sucuri.net/malware/entry/MW:RKS:3
For hosting providers/security companies: Block the IP address 91.188.59.203 – (it is hosting all those sites).
Whois details:
Name: Alex Bodrov
Address: Polubotka 19-10
City: Chernigov
Province/state: Chernigov region
Country: UA
Postal Code: 34586
Phone: +48.7139123463
Fax: +48.7139123463
Email: alexbodrovqw@gmail.com
Name: Alexandr Borisenko
Address: Polubotka 81-38
City: kiev
Province/state: Kiev region
Country: UA
Postal Code: 45675
Email: 3807345466632@gmail.com
We will post more details as we learn them.
If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.
John Castro
Ben Martin
Krasimir Konov
Cesar Anjos
Juliana Lewis
Luke Leal
Kyle Knight
Samuel Odendaal
4 comments
guys, this is a 2 months old thing 😛
To fix this problem, run the following code in your database:
UPDATE wp_posts SET post_content = replace( post_content, '<script src="http://ae.awaue.com/7"></script>', ' ')
Best regards
Comments are closed.