One of my blogs was hit today (Happy Halloween) by this new strain of WordPress Blog attacks. The Sucuri Team was able to tackle the infection without issue and has posted some good information on the latest version attacking (at this point) Godaddy servers. Read more below:
“Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.
We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites usinginsomniaboldinfoorg.com.
The following domains/IP addresses are being used to spread the attack:
All the sites we’ve seen so far have the following code added to all PHP files:
Which is basically just the eval(base64_decode encoded. What is interesting is that this site is hosted at 18.104.22.168, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related:
The following script should clean up any infected site: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html ”