Sucuri SiteCheck – Web Malware Distribution – May 2012

Last month ( May 2012), we were able to identify 94,866 compromised (hacked) websites using our free SiteCheck scanner.

These were the top infections per distribution type (iframes and conditional redirections). A comparison to April can be seen here – Sucuri SiteCheck – Web Malware Distribution – April 2012):

You can more closely follow the daily activity in our labs by following Sucuri Labs and monitoring the Sucuri Labs page.

Conditional (often htaccess) redirections:

[# of sites compromised] [malware url]
1222 http://kogirlsnotcryz.ru:8080/forum/showthread.php?page=beb2436a164c6222
994 http://opimmerialtv.ru:8080/forum/showthread.php?page=beb2436a164c6222
991 http://rec-creations.com/adv.php
870 http://melaf.ru/jtrepj?7
594 http://minkof.sellclassics.com/
531 http://ineed.co.nz/adverts/media.php
463 http://spbfotomontag.ru:8080/forum/showthread.php?page=beb2436a164c6222
384 http://rolyjyl.ru/count30.php
364 http://beonce-preez.ru/infinity?8
347 http://rolyjyl.ru/count30.php
345 http://tradeincas.ru/siga?7
327 http://mikapola.ru/yeot?7
312 http://styxving.ru/evos?7
312 http://commenttwitt.ru/g4hs?5
308 http://kogirlsnotcryz.ru:8080/forum/showthread.php?page=beb2436a164c6222
295 http://mygooglemy.com
279 http://colce-adem.ru/infinity?8
271 http://get-sany.ru/sunreal?9
257 http://rec-creations.com/adv.php
251 http://pasla-setatg.ru/qrfoa?8
224 http://song-moll.ru/sher?3
223 http://onmouseout-change.ru/vis/index.php
220 http://may-preez.ru/infinity?8
214 http://2domeinold.ru/in.cgi?19
213 http://drbolivar.com/stats.php
211 http://styx-ving.ru/evos?7
208 http://crowgerber.ru/edintef?2
206 http://maybeonce.ru/infinity?8
201 http://freezday.ru/sunreal?9
201 http://beonce.ru/infinity?8

Malicious iframes:

[# of sites compromised] [malware url]

1357 http://lowresolutionit.in/in.cgi?6
379 http://smuss.net/redirect.php
344 http://rolyjyl.ru/count30.php
296 http://directmarketing32businessexchange.in/in.cgi?55764
276 http://sluxxqqgykewolmoli.in/in.cgi?default
225 http://2domeinold.ru/in.cgi?19
185 http://google-adsens.com/in.cgi?2
175 http://direct9.in/in.cgi?55764
156 http://www0apps-myups.com/main.php?page=bbf13438dcde29a9
153 http://bigdeal777.com/gate.php?f=981287
152 http://31.184.242.81/link.php
139 http://rec-creations.com/adv.php
134 http://rycgoka.ru/count1.php
133 http://directmarketing32linearsale.in/in.cgi?55764
123 http://csepros.com
110 http://bizzqw.ru/in.cgi?19
108 http://ineed.co.nz/adverts/media.php
103 http://gocgleapps.com/api?in=864
95 http://htpcapital.com/main.php?page=98d3bf6d08596d13
76 http://directmarketing40linearsale.in/in.cgi?55764
75 http://tdska.sauna-ess.ru/go.php?sid=7
75 http://64.34.202.180/scrp.php
73 http://startcooking.com/public/files/jquery.php
66 http://www.thesea.org/media.php
66 http://karenbrowntx.com
58 http://sytratesthj.co.cc/1/go.php?sid=13′
57 http://uwlex90.in/
54 http://directmarketing40wardsale.in/in.cgi?55764
50 http://www.kw.ee/paypal.php?curr=USD
49 http://techcasfh.in/in.cgi?19


If you suspect your site to have fallen victim to an attacker feel free to use our free SiteCheck scanner: http://sitecheck.sucuri.net. If you have any questions pertaining to the results you can reach us at info@sucuri.net

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

  • Colin

    some of my sites pages redirect to a search engine with the search query as:

    styx ving ru evos

    What does this actually mean and what does the virus actually do?

    It seems to be on my main site as well as all my subdomains.

    Can this be removed by deleting all the sites and content and starting again on the same hosting platform?

    Thanks.

Share This