I’d like to point webmasters at a great article on the Armorize blog. It is about a new massive script injection attack that seems to have affected a few thousand websites. In my post, I will summarize the information specifically for webmasters.
Selected short messages and links you might have missed if you don’t follow me on Twitter.
A few days ago, I blogged about the hacker attack that used the BlackHole toolkit and injected “createRSS” and “defs_colors” malicious scripts into legitimate websites. I’ve worked with a few webmasters of infected sites since then and now have some important additional information that I want to share here.
This is a review of the malware injection attack that I see quite often lately.
On Safe Browsing diagnostic pages, infected sites usually mention the following domains:
Malicious software is hosted on 4 domain(s), including new-solomon .cz.cc/, newsalamandra .cz.cc/, banpox .cz.cc/.
2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chadon .nl/, 75.127.108 .0/.
In intermediaries, they usually include chadon .nl, corkit .co, tongho.co.th and some IP address.
On infected sites, I found various modification of a script that generally looks like this: