Database injection and – Intermediary domains

We posted a few days ago about a large scale database injection attack affecting shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):


Which after decoded, attempted to include and load the following link:

Nothing much different from other web-based malware that we have been tracking. But what is interesting about this attack is how fast the intermediaries domains are changing to avoid detection and getting blacklisted.

These are just some of the ones used in the last 24 hours:

As you can see, changing from .cc,, .in., and even some .com in there. Most of them are hosted at, but the IP address is changing as well. By checking those on Google, none of them got blacklisted, showing that their tactics are working.

We will keep posting details we learn more.

If your site is infected with malware or blacklisted, we are here to help.

You May Also Like