Once the script decoded we obtain an iframe leading to vc-business.com/in.php .According to Analyse of Kimberly , If a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 184.108.40.206/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 220.127.116.11 has been caught in distributing the ZeroAccess rootkit.
Second Recent Attack by Blackhole Exploit discovered in thousands of WordPress websites that use a popular non-updated TimThumb image tool. Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the site. But this is not the only way for example they use stolen passwords to direct FTP changes.In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js
The attack used the BlackHole exploit kit, which redirected the website's visitors to an external malware-hosting site. Researchers detected an additional 3,500 unique infected WordPress sites, which redirected visitors to malicious sites between Aug. 28 to 31. During September , the company blocked redirects from 2,515 WordPress sites, Sirmer said.
In bottom part of code, there is a request to https://18.104.22.168/url.php where only one line of code is stored: assa ='Domain with Black Hole exploit kit'. A fix is available for the TimThumb tool.