Database injection, and more updates

We posted a few weeks ago about a large scale database injection attack affecting WordPress on shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):


Which after decoded, attempted to include and load the following link:

We also saw multiple variations of it, where the following domains where used as the main intermediaries:

What is interesting is the number of sub-intermediaries that change every few hours:

They are using domains on multiple TLDs (.net, .com, .in, .us, etc) and changing every hour. The most common network for these to be hosted are at: and, but that changes often as well. We will keep you posted as we track them…

If you are worried your site might be vulneable, scan it here:

If your site is infected with malware or blacklisted, we are here to help.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Share This