Malware update:

Quick malware update: The site (nice name) is being used to distribute SEO spam and malware (the famous fake AV). We recently wrote about the domain ssl-validation, but it seems that they disabled it and are using ssl-verification instead now.

You can get details of the code being used here: 7ea73e3ac775b52b945d5b45a5abb7ad and b99003ddc4a4815bb82a39cc6af3b452

All the infected sites so far had an encoded piece of PHP code inside their index.php or footer.php (if using WordPress) and a backdoor inside a random PHP file. We found the backdoor and by the analyzing logs, we could find the C&C IP address: – – [20/Oct/2010:03:35:21 -0700] “GET /img/readthat.php HTTP/1.1” 200 11204 “” “Opera/9.80 (Macintosh; Intel Mac OS X; U; ru) Presto/2.2.15 Version/10.10”

What is interesting is that it seems the attackers are using to manage their network of infected sites and according to Google, they have more than 4k sites under their control.

The malicious site is hosted at, so suggestion for hosting companies: Block this IP.

Having issues with malware? Sign up at and we will get it all sorted out.

1 comment
  1. As a developer I have encounter this problem and I’ve come across with your article. Our CMS is compose of oscommerce and wordpress is a different one. With your example here, I would like to ask if this will work our our cms?

Comments are closed.

You May Also Like