Description:
Code used to insert a malicious javascript on many sites hosted at GoDaddy (the latest round of attacks using meqashopperinfo.com is affecting more providers).
Loads the malware from:
http://myblindstudioinfoonline.com/ll.php
http://theblindstudioinfoonline.com/ll.php
http://meqashopperinfo.com/js.php
http://meqashoppercom.com
http://meqashopperonline.com
http://insomniaboldinfocom.com/mm.php
http://voip.dialistico.net/products/voip.php
Generally infecting all PHP files.
Clean up:
Run the following script: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
Malware dump (base 64 added to the .php files):