Rotating Iframe URLs – One a Minute
Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked site individually. All the URLs had the same format http://<domain-of-a-hacked -site.com>/news/faults-ending.php. For example, hxxp://brewerstire .com/news/faults-ending.php .
This reminded me of another ongoing attack that also rotates iframe URLs in a similar way. However it has some distinguishing features that make it worth it to describe it separately.
Continue »»
Cloaking: Think Outside of [Your] Box
Cloaking in SEO is defined as a technique in which the content presented to the search engine spider is different from that presented to the user’s browser (Wikipedia). But in case of hacked sites, cloaking is more tricky than just different content for search engines and for real users. It can also be different content for different types of users. Moreover, the internal implementation is usually hidden (cloaked) from webmasters of compromised sites.
This post will be about one of such site hacks that involved SEO cloaking and used quite an interesting trick to alter page content.
Continue »»
Rich Snippets in Black Hat SEO
Competition in search marketing can be tough. Regardless of number of businesses/products/services relevant to a specific keyword there is only one top position and unless it’s your site at the top you miss out on the hefty share of the search traffic generated by that keyword. The lower the result is displayed the less attention it gets.
Even if you are in “business” of black hat SEO and can use whatever dirty tricks you like, you still can’t guarantee the top position for the most popular keywords since there are already many established reputable sites and other black hats competing for the same keywords. But if you can’t always get the top position, you can still try to make your results look more attractive than the rest and increase their click through rate, right? Right! And this post will be about one of such tricks
Continue »»
The Crocodile Hunter Meets Badware in the Wild
October is a cyber security awareness month so lets start it with the most hilarious web security awareness video I’ve ever seen.
It is brought to you by StopBadware.org and Bluehost.
Continue »»
Malicious Apache Module Injects Iframes
It’s a follow up to my post about server-wide iframe injection attack where I asked for any information about that tricky hack. Thanks to my readers and administrators of infected servers I have some new information about it. Now I know how it works and what is infected, but still have no idea how hackers break into servers, so your input is welcome.
Continue »»
RFI: Server-wide iframe injections
This post is a request for information.
This summer I come across some clearly infected servers where I can’t figure out how exactly the hack works and what should be done to clean them up and to protect other servers from similar hacks. So I decided to share my information about the issue and hope someone could shed some light on it.
Here we go »»
RunForestRun Now Encrypts Legitimate JS Files
A few days ago Jindrich Kubec (Avast) pinged me that the RunForestRun malware changed the domain generating algorithm (DGA) and now uses waw.pl subdomains (instead of .ru) in malicious URLs.
I decided to take a look at the new scripts and found quite a few very interesting changes. This post will be about those changes.
Continue »»
Millions of Website Passwords Stored in Plain Text in Plesk Panel
After the theft of LinkedIn user database, there was a lot of buzz about how unthoughtful it was to store passwords as unsalted SHA-1 hashes.
What can be even worse is storing user passwords in plain text.
Brian Kreb was recently shocked when his hosting provider sent him his password in plain text. He wrote a post about it and made a conclusion that it is quite a common practice among hosting providers and that “naming and shaming may be the only way to change” it.
But why do hosting providers save passwords in plain text? Maybe because most of them don’t invent anything and just rely on web hosting automation programs?
Continue »»
Runforestrun and Pseudo Random Domains
Today I came across an interesting attack that injects malicious scripts at the very bottom of existing .js files.
Update: at the bottom of this post you’ll find information about how a security hole in Plesk Panel was used to infect websites. Comments are also worth reading.
Update (July 26, 2012): The attack has changed both the injected script and the domain generating algorithm. See details in my follow up article. Information about the Plesk security issues are still can be found in the current post and comments.
The script (surrounded by the /*km0ae9gr6m*/…/*qhk6sa6g1c*/ pair of comments ) looks like this:
Full source code can be found here
On Google diagnostic pages of infected sites you will currently see something like this
Malicious software is hosted on 2 domain(s), including ctonxidjqijsnzny .ru/, znycugibimtvplve .ru/.
I say “currently”, because the most interesting thing about this script is the built-in domain name generator.
Continue »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
