msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Darkleech Update – November 2014

Just wanted to document some latest changes in Darkleech behavior that may help you detect it.

I’d like to thank internet security enthusiasts who share their findings with me. Without you, I could have easily missed these new (?) details.

Quick recap

Darkleech is a root level server infection that installs malicious Apache modules. The modules inject invisible iframes into server response when it is already prepared (linebreaks added for readability).

<style>.a4on6mz5h { position:absolute; left:-1376px; top:-1819px} </style> <div class="a4on6mz5h">
<ifr ame src="hxxp://tfmjst .hopto .org/nsiumkogckv1tv4locfzyv2eykqss9ltfb9wnmhfqz1ol2" width="247" height="557"></ifram e></div>

All the elements of this code are random and auto-generated on the fly (style name, coordinates, iframe diminsions, URL paths). Moreover, the iframe domains change every few minutes — lately hackers prefer free No-IP.com dynamic DNS hostnames like hopto.org, ddns.net, myftp.biz, myftp.org, serveftp.com, servepics.com, etc.

This infection is hard to detect as it only shows up once per IP per day (or maybe even more seldom). And since it works on a low system level, it can detect if server admins are logged in, so it lurks until they log out — this means that they won’t see anything even if they monitor outgoing TCP traffic.

For more details, please check the links at the bottom of this post.
What’s new? »»

Most Contradictive Doorway Generator

12 Sep 14   Filed in Short Attack Reviews with 0 Comments

Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing.

The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me.
Continue »»

Google -> Doorway -> Google -> Spam

11 Jun 14   Filed in Uncategorized with 1 Comment

Just a few thoughts about an interesting behavior of a black-hat SEO doorway.

Typically hackers create doorways on compromised sites to make search engines rank them for certain keywords and then, when searchers click on the links in search results, those doorways redirect them further to a site that hackers really promote. Sometime that redirect may go through some TDS (traffic directing service) but the whole scheme remains pretty much the same:

Search results -> doorway -> beneficiary site

Today, when doing a backlink research of one of such pharma doorways, I encountered a different scheme — a one with a loop.
Continue »»

Working With the Darkleech Bitly Data

10 Feb 14   Filed in General with 0 Comments

Data Driven Security took the time to analyze the raw data that I published in my recent post on Sucuri blog about how I used Bitly data to understand the scale of the Darkleech infection.

In their article, they have a few questions about data formats, meaning of certain fields and some inconsistencies, so I’ll try to answer their questions here and explain how I worked with the data.
Continue »»

Invasion of JCE Bots

27 Jan 14   Filed in Website exploits with 8 Comments

Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites.

Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.

Continue »»

Reporting Suspicious Styles

22 Nov 13   Filed in Unmask Parasites with 0 Comments

Back in 2008, the very first task that I created Unmask Parasites for was scanning web pages for hidden links.

I read an article about thousands of WordPress blogs being stuffed with dozens of invisible spammy links. I had a self-hosted WordPress blog too and that article made me think if there was some easy way to figure out whether my blog was hacked, something less laborious than manually examining the HTML code link by link. So I decided to create a tool that would show all domains that my web pages linked to highlighting those of them that had “invisible” styles. This approach has proved to be very efficient in identifying black hat SEO hacks. In most cases, a glance is enough to spot such problems.
Continue »»

Unmask Parasites joins Sucuri

20 Sep 13   Filed in Unmask Parasites with 2 Comments

It’s official. This week Unmask Parasites joins Sucuri!

Since July of 2008 when I released the first public version, Unmask Parasites was a “one man project” and it worked fine for me most of the time. I did everything myself from server setup to site development, from web attack investigations to blogging here. During these years Unmask Parasites became quite noticeable both within webmasters and Internet security community. And I always tried to meet their expectations providing a tool that could reveal various obscure website security issues and sharing information on how and why websites get hacked, and what can be done to prevent it.
Continue »»

Analyzing [Buy Cialis] Search Results

21 Aug 13   Filed in General with 2 Comments

A few days ago I was updating the spammy word highlighting functionality in Unmask Parasites results and needed to test the changes on real websites. To find hacked websites with spammy content I would normally google for [viagra] or [cialis], which are arguably the most targeted keywords used in black hat SEO hacks. However after the Google’s June update in how they rank web pages for spammy queries, I didn’t have much expectation of seeing hacked sites on the first page of search results for my usual [buy cialis] query and was ready to check a few more pages.
Continue »»

FTP Brute Force Attacks?

26 Jun 13   Filed in Website exploits with Comments Off

Hacking websites using FTP access has been one of the most popular attack vectors during the last few year. I can still see many massive site infections done via FTP.

In most cases, the first step of such attacks is stealing FTP credentials from local computers of webmasters. Back in 2009, I described how PC malware stole passwords saved in popular FTP clients such as FileZilla, CuteFTP, SmartFTP and many more. This is still a prevailing vector. More exotic password theft methods include keyloggers, FTP traffic sniffing, and stealing user databases of hosting providers who prefer convenience over security and store actual client passwords in plain text or slightly encrypted (instead of storing only hashes of passwords).

If you ask regular webmasters how hackers can break into their server via FTP, many of them will answer that hackers could guess the password (hence the need to have hard-to-guess passwords). Of course, it is hard to guess whatever password at the first attempt, so one might expect to see multiple such attempts (so-called brute force attacks) before a password is cracked and hackers get access to a server. However in real life, I haven’t come across such FTP brute force attacks. Until this month…
Continue »»

Rotating Iframe URLs – One a Minute

11 May 13   Filed in Website exploits with 2 Comments

Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked site individually. All the URLs had the same format http://<domain-of-a-hacked -site.com>/news/faults-ending.php. For example, hxxp://brewerstire .com/news/faults-ending.php .

This reminded me of another ongoing attack that also rotates iframe URLs in a similar way. However it has some distinguishing features that make it worth it to describe it separately.
Continue »»