Comments on: Malicious “Income” IFrames from .CN Domains

By: robert

robert — Tue, 08 Dec 2009 22:39:16 +0000

You can make sure you have a proper firewall in front of your server which will may protect you from these sort of attacks…lock it right down and only open the ports your require. Also you can block domain’s which can help

By: Denis

Denis — Mon, 05 Oct 2009 09:28:02 +0000

.gnome2 is a folder of the Gnome 2.x (desktop for Linux computers). However this desktop is not used on servers. Check the owner of the folder and the creation date.

By: Denis

Denis — Mon, 05 Oct 2009 09:24:10 +0000

Everything is automated and done by thousands of infected user computers. By the way your computer is/was also infected and hacked some other sites. I know this because these iframes are injected when trojans steal FTP credentials from infected computers.

By: thorir

thorir — Mon, 05 Oct 2009 01:08:58 +0000

This is a site I did, It got hit pretty bad.. the “virus” comes again again, I have cleaned my own computer. But how can they change the html files so fast?.. just few hours later, the virus is back. Is it a javascript file? Or is something logging into the ftp and changing the files?

By: phil

phil — Sun, 04 Oct 2009 18:39:14 +0000

Hi, last night a new folder turned up in the root of my ftp, named .gnome2, which is seemingly empty. I didnt put it there, the server guys didnt put it there, so I cant see what else it could be but some sort of hack/phising tactic.

Searching .gnome2 doesnt bring up much in the way of info on other cases, but it certianly does worry me and has had me reading up on security and malicious practices all day.

Im not sure what to do here really, I will follow a few of your rec’s, but if you have ever heard of this before please advise accordingly.

Thanks

By: Hacking: iFrames containing .cn domains / meta redirects | Dimitri.eu

Hacking: iFrames containing .cn domains / meta redirects | Dimitri.eu — Sat, 19 Sep 2009 13:03:01 +0000

[...] http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/ [...]

By: web security software

web security software — Thu, 10 Sep 2009 12:12:45 +0000

Nice points you have made about web security.
Thanks for the post, informative and inciteful, made me think more about web security.

By: Michael G.

Michael G. — Mon, 07 Sep 2009 05:47:46 +0000

One of my client site infect with iframe that redirect to this sites : 3b4 .ru/, q3e .in/, x3y .ru/, using port 8080.

Make sure you clean up all the files that infected ( …. ) and find suspicious javascript code that inject into index.html files on your site. Better not using frame anymore on your site.

By: metalpigs

metalpigs — Mon, 31 Aug 2009 10:23:44 +0000

Thanks, great info… my other site had been infected by a malicious code (iframe), but cleaned already. You can also add this suspicious site:
hostads .cn

By: Internet Evolution - Jonathan Hochman - Nasty Malware Attack Targets Web Developers

Wed, 19 Aug 2009 14:58:43 +0000

[...] information about this attack is available in this blog on Unmask Parasites regarding Malicious "Income" IFrames from .CN [...]