msgbartop
msgbarbottom
Loading site search ...

Tweet Week: March 1-7, 2010

07 Mar 10   Filed in Tweet Week with 0 Comments

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Google notifications, security patches, malicious PHP code … »»

Web of Koobface

27 Feb 10   Filed in Website exploits with 2 Comments

This research is provoked by the following blogpost of Joshua Long where he lists domain names used by Koobface. Generally, I focus on website hacks and don’t research malware distributed via email spam and social networks (Koobface is an anagram of Facebook). However that list showed me how legitimate hacked sites were integrated into Koobface scheme and I decided to try to investigate how the whole thing worked.

Joshua’s list was a good starting point. I saw multiple rogue blogspot blogs that followed the same pattern and multiple compromised sites where those blogs redirected to. For some reason, most of the functionality of the malicious pages on the hacked sites is implemented as a client-side JavaScript, so I could easily retrieve and analyze those scripts. They provided me with very interesting details about the internals of the attack: sites it expected as referrers and usage of infected PCs. As a result I came up to the following scheme:
Koobface attack flow and other details »»

Tweet Week: Feb 15-21, 2010

21 Feb 10   Filed in Tweet Week with 0 Comments

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Gumblar zombies, StopBadware reports, WordPress updates … »»

Tweet Week: Feb 8-14, 2010

15 Feb 10   Filed in Tweet Week with 0 Comments

Selected short messages and links you might have missed if you don’t follow me on Twitter.

security updates, phpMyAdmin, FTP and cPanel, etc. »»

Tweet Week: Feb 1-7, 2010

07 Feb 10   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

.htaccess hack, attack against PHP sites, IE vulnerability, … »»

Tweet Week: Jan 25-31, 2010

31 Jan 10   Filed in Tweet Week with 0 Comments

Selected short messages and links you might have missed if you don’t follow me on Twitter.

This week is packed with interesting links and notes »»

Bety.php Hack. Part 2. Black Hats in Action.

26 Jan 10   Filed in Website exploits with 2 Comments

This is the second article about the hacker attack against osCommerce-powered sites. In the first part, you can find the description of the attack along with detection and clean-up instructions. Now I want to show you what exactly hackers did and how they managed to poison Google search results.

The main goal is to demystify hackers and encourage webmasters to explore their own sites. The more you know about hackers, the better you’ll be at protecting your site against their attacks.

This post is based on the files and access logs of three compromised sites that I received from a webmaster who contacted me a couple of weeks ago.

Quick facts

  1. The attack uses unpatched vulnerability in osCommerce 2.2 that allows an attacker to upload arbitrary files to compromised servers using a security hole in file_manager.php.
  2. Only one of the three sites actually uses osCommerse (site-1).The rest two sites had been hacked using access gained via the hacked site-1.

Chronicle of the attack »»

Tweet Week: Jan 18-24, 2010

24 Jan 10   Filed in Tweet Week with 0 Comments

Selected short messages and links you might have missed if you don’t follow me on Twitter.

IE patch, updates on attacks, Google quiz, Firefox 3.6, UP testimonials »»

Bety.php – osCommerce Hack. Part 1.

18 Jan 10   Filed in Website exploits with 0 Comments

About a week ago I received a very insightful email from one webmaster where he described a recent attack that his site was subject to and showed how Google’s Webmaster Tools helped him notice the hack.

With Jim’s permission, I publish this email here »»

Tweet Week: Jan 11-17, 2010

17 Jan 10   Filed in Tweet Week with 0 Comments

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Security updates, botnets, Unmask Parasites »»