More attacks – Hilary Kneber and insomniaboldinfocom.com

  • October 21, 2010

For the last couple of days, we’ve been seeing a good number of sites hacked with a familiar pattern. All of them have a javascript loading malware (the famous fake AV) from:

http://insomniaboldinfocom.com/mm.php
http://insomniaboldinfonet.com/mm.php
http://www3.large-defense1.in

This is very similar to the GoDaddy attack of a few weeks ago, but this time it’s affecting other hosting providers.

All the sites we’ve seen so far have the following code added to all PHP files:

eval(base64_decode("aWYoZnVuY3Rpb....

What is interesting is that this site is hosted at 77.78.239.53, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related (even though this domain wasn’t registered in their name)

myblindstudioinfoonline.com
meqashoppercom.com
insomniaboldinfocom.com

Note that the domain myblindstudioinfoonline dot com is not blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.

The following script should clean up any infected site: https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
3 comments
  1. Pingback: Tweets that mention More attacks – Hilary Kneber and insomniaboldinfocom.com | Sucuri -- Topsy.com
  2. Pingback: Attacks on GoDaddy sites – insomniaboldinfoorg.com | Sucuri
  3. Pingback: More Wordpress Attacks – insomniaboldinfocom | She-Geeks

Comments are closed.

Related Categories
You May Also Like