SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.rks_injection.3

malware.rks_injection.3

Description:
Malware injections related to massive hacks of websites hosted on Rackspace and Mediatemple back in 2010-2011

Loads malware from (all of them pointing to 91.188.59.203)

hxxp://ae.awaue[.]com
hxxp://ie.eracou[.]com
hxxp://ao.euuaw[.]com
hxxp://aeaaea[.]com/ou
hxxp://secree[.]com/re
hxxp://uoauer[.]com/si
hxxp://oeooea[.]com/ve
hxxp://secowo[.]com/wo
hxxp://seconeo[.]com/on
hxxp://ouroue[.]com/se
hxxp://avoen[.]info/e

After that the attack was using 188.72.194.172: hxxp://w3.fairygoodideas[.]com/in.cgi?2

Typical injected code

< script src = hxxp://ao.euuaw[.]com/9 .... 

< script src = hxxp://ae.awaue[.]com/7 ...

< script src = hxxp://eaaea[.]com/o ...

It infects all posts inside WordPress database (wp_posts).

Affecting: WordPress websites. Mostly on Rackspace and Mediatemple.

Mitigation
How to clean a hacked WordPress site