[…] This post was mentioned on Twitter by Denis, Oscar. Oscar said: RT @unmaskparasites: [blog] From Hidden Iframes to Obfuscated Scripts http://bit.ly/5qMAzk – *GNU GPL* mal-scripts + rogue servers on Le … […]
I want to thank you for all the work you are doing in investigating, documenting and warning about this sort of criminal behaviour.
The company I work for was hit by this sort of thing a couple of months ago and it has fallen to me to pick up the pieces – iframe style injection of code pointing to a russian malware site (flagged by google). It is both painful and scary.
I now keep a close watch and subscribe to your site!
I’m LeaseWeb’ Security Officer and therefore responsible for handling abuse.
First, please let me introduce LeaseWeb. We are a dedicated hosting provider with approx 22,000 servers in use who generate 500+ Gpbs of peak traffic. We provide hardware, housing and a reliable internet connection for a ‘unbeatable’ price. We do not provide managed hosting whereby we do system administration, this is left as a task for our customer. As most customers are internet professionals (like resellers) this works very well.
As to our abuse handling:
When we receive a abuse notification about an ip address we will forward the notification to our reseller with a 24 hour response time. For malware/phishing sites we use a shorter limit. If the reseller/customer fails to respond we normally will null the ip un till the customer has contacted us and ensures us he will remove the offending site/code.
As a rule we do not communicate to the person who sends us the abuse notification, so not receiving a reply does not indicate LeaseWeb has not received the notification or isn’t taking action to it.
If you have any questions please mail me at
I completely understand that you don’t manage servers yourselves. At the same time your TOS should prohibit your customers from using servers for illegal activities.
And it’s OK not to receive a response for abuse notifications. However, I don’t see any action against mdvhost .com which is still hosted on the same two IPs on your network (the abuse report was in September).
Hope, now you’ll take action against the IP addresses mentioned in this post (I believe the servers are hacked and hackers had installed nginx on port 8080 to work as a reverse proxy for mvdhost .com or maybe some other sites)
is not infected with virus – but the article contents contained example virus code, that’s why virus scanners though it is infected. There you can find the cleaning tool which helped many people so far
[…] is via compromised FTP credentials. My colleague over at the Unmask Parasites. Blog has also reported seeing large numbers of sites […]
Just a week ago my website was hacked in this manner.
After reading your article, I starting searching the web pages visitors got a malware warning with. I just could not find the special script mentioned in your article in any of those web pages.
I downloaded my whole website to my hard drive. I did a search on all the files for the phrase “GNU GPL”. There it was in the fw_menu.js file. I forgot all about this file. It runs the side menu bar for the web site. That is why the warning message showed up all over the place for visitors. Most of the web pages access that file.
I have uploaded a correct version of the fw_menu.js file to my website.
I downloaded my whole website to my hard drive. I did a search on all the files for the phrase “GNU GPL”. There it was in the fw_menu.js file.
—– Edit by Denis: I removed your site link from your signature because the site is still hacked (I see cloaked spammy content)
We have been having a discussion on this virus on this threat as well. My posts specifically show what we have narrowed down on the user machine (what this iframe virus will launch if successful) for what we believe is a rootkit PSW.OnlineGames Virus which isnt being picked up by any of the major programs without some effort….
[…] Tarmo Randel CERT.EE-st hoiatab veebide administraatoreid pahatahtliku skriti eest, mille levik Eestis on võtnud juba pandeemia ilme ning nakatas muuhulgas ka ERR-i veebid. Pahalase täpsemat iseloomustust saab lugeda siit. […]
A client just reported the same thing this morning as well. The domain in use was:
[…] This post was mentioned on Twitter by Denis, Julio Canto, Masafumi Negishi, Tatsuya Daitoku, Yoshi Tachibana and others. Yoshi Tachibana said: 27日あたりから出てきましたね… RT @ymzkei5 ぐふっ。 RT @MasafumiNegishi: RT @unmaskparasites: New revision of the "GNU GPL" script http://bit.ly/aXWbZ6 […]
Hi, Thank you. We didn’t know about this. We were hit three times in the last two weeks. The URL they used on our site yesterday:
May I ask what happens when I click on a hyperlink in a SPAM that sends me to one of these posted malware sites? Specifically,I have traced the IP’s listed in the SPAM and it seems that the redirecting thru infected PCS and hosts ends up at an online drugstore.One of them is Luxpharmacy .com
[…] one of the main methods for infection is via compromised FTP credentials. My colleague over at the Unmask Parasites. Blog has also reported seeing large numbers of sites affected. Affected websites […]
About this blog
Occasional posts from the developer of Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.