Mass infections – globalpoweringgathering .com
< script src="http ://globalpoweringgathering .com/in.php?n=15"..
With some variations, with just a number changing:
http ://globalpoweringgathering .com/in.php?n=15
http ://globalpoweringgathering .com/in.php?n=25
http ://globalpoweringgathering .com/in.php?n=2
http ://globalpoweringgathering .com/in.php?n=9
Note that this is a very similar from the “Hilary Kneber” malware distributed by these domains (hosted on the same IP addresses):
welcometotheglobalisnet .com ...
We are seeing multiple causes. The most common was related the usage of old versions of web applications (like WordPress, Joomla, etc). However, we are also seeing HTML-only sites hacked that got compromised via FTP due to stolen passwords. So make sure your sites are updated and change your passwords (making sure to use a strong password, that your desktop is not compromised, etc)..."
"... Malicious software includes 37 scripting exploit(s)... It infected 1919 domain(s)..."
April 26, 2011 - "Today we started to see a lot of sites infected with an iframe malware from jquery4html .co.cc (yes, always the .co.cc)... when we tried to access this site to identify what was going on, we were greeted with a page from the .co.cc registrar saying that the domain was available:
The domain jquery4html.co.cc is available Continue to registration >>
If you want to build a site at this address, please visit us at www .co.cc
We found that very strange and tried to register the domain to see what was going on (their registration is free), but when we were close to completing the registration they said that the domain was not available anymore... Too bad.
A few hours later, that domain was already loading additional malicious iframes from diagnostic-scanner-xp-protection .com, hilitsors .cz.cc and many other intermediaries... There are many other sites being used as intermediaries (and just by looking at the domain names you can guess that they try to push the infamous Fake AV), including hundreds of .com..."
(More detail at the blog.sucuri.net URL above.)
Edited by AplusWebMaster, 27 April 2011 - 07:01 AM.