SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware-entry-mwgdd5

malware-entry-mwgdd5

Description:

Code used to insert a malicious javascript on many WordPress sites hosted at GoDaddy. The malicious code is added to all PHP files (or the database), infecting each post. Loads the malware from:

http://welcometotheglobalisnet.com/js.php?kk=25
http://www3.incredible-protectionro.rr.nu
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc

Generally infecting all WordPress posts. More details here: http://blog.sucuri.net/2011/02/hilary-kneber-godaddy-and-welcometotheglobalisnet-com.html

Clean up:

Contact support@sucuri.net.

Malware dump (base 64 added to the .php files):