Keygenguru .com Hack in Search Results
Last year I wrote about two elaborate server-wide hacks that hijacked web server (Apache) processes and intermittently served malicious content instead of requested legitimate web pages.
A year later, every now and then I still see servers affected by this sort of hack. I easily recognize recent modification of this attack when I see links to keygenguru .com in Unmask Parasites reports. Those modifications are slightly different from what I described in my goscanpark article. This time not only do the malicious processes serve JavaScript redirect code but also provide some HTML with links to pirated software and movies. This HTML code gets indexed by search engines which helps hackers promote their illegal resources.
Side effect
A side effect of this “black-hat SEO modification” is when people search for domain names of affected sites, they see something like this in search results:
Continue »»
Analysis of Gumblar Zombie URLs
As you might know, I maintain and regularly update a list of Gumblar zombie URLs. The main reason why I do it is to help webmasters of compromised sites find relevant information about the source of their problems and the steps required to clean up and secure their sites. I see this pattern quite often, when webmasters find a suspicious script in their web pages and use it in Google searches to find more information about it. On the other hand, this list can also help reveal the security breach of sites that hackers use to host Gumblar zombie scripts.
This week the list has reached the level of 1,000+ URLs. Although it’s just a small part of all Gumblar zombie scripts, this list makes a good base for a quick analysis of Gumblar zombie URLs.
Continue »»
Malware on Hijacked Subdomains. Part 2.
About a month ago I wrote about a hacker attack that used hijacked subdomains of legitimate websites to serve malware (fake anti-virus software) off of them. Most likely cyber criminals used a phishing attack to steal credentials of GoDaddy’s domain management control panel and created rogue DNS records for some subdomains to make them point to hacker-controlled servers.
In that article I wondered if that was a new trend (usage of virtually free hijacked subdomains) or just temporary approach that wouldn’t be used anywhere else. Well, this week I came across a different malware attack that also uses hijacked subdomains of legitimate websites.
Continue »»
Attack on WordPress Blogs on RackSpace
This year we regularly see how hackers exploit security holes in infrastructure of large shared hosting providers to compromise thousands legitimate websites of their clients. Network Solutions, GoDaddy, Servage – they all are notorious for their security problems. Now RackSpace Cloud has fallen victim to a massive hacker attack…
Here’s the story …
Malware on Hijacked Subdomains. New Trend?
Yesterday, Patrick (aka Noxwizard, phpBB support team member) pointed me at the new malware attack that surfaced this week (first mentioned on May 16th).
The attack creates/modifies .htaccess files to redirect site visitors that come from major search engines and popular websites (e.g. Twitter, Facebook, Wikipedia, Flickr, Ebay, etc) to scareware sites that aggressively push fake anti-virus software. The redirects also occur if visitors request unexisting pages or pages that produce server errors.
This .htaccess conditional redirect approach is nothing new. It has been actively exploited by hackers for at least couple of years (and Unmask Parasites does a good job of detecting such redirects). And while the .htaccess code in this particular case has some new features (maybe more about it next time), it isn’t the most interesting thing about this attack.
Continue »»
More About the Rogue Image Blogs on Servage Network…
This is the fifth article in the series about rogue blogs created by hackers inside legitimate websites of Servage clients. Millions of malicious web pages has seriously poisoned Google search results, redirecting visitors to scareware sites. You might want to read the previous posts first:
- Hackers Abuse Servage Hosting to Poison Google Image Search (April 28, 2010)
- Internals of Rogue Blogs (March 17, 2010)
- Rogue blogs redirect search traffic to bogus AV sites. Part 2 (November 27, 2009)
- Rogue blogs regirect search traffic to bogus AV sites. Part 1 (November 26, 2009)
In this post, I’ll describe how the new generation of rogue blogs works.
Continue »»
Hackers Abuse Servage Hosting to Poison Google Image Search
Two weeks ago I blogged about serious security problems of Network Solutions‘ shared hosting service. This time I’ll turn to another big shared hosting provider – Servage.
It’s not the first time I write about Servage. Actually this will be the 4th article in the series about rogue blogs on Servage network. It all started in November when I wrote about malicious blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. In the second article, I showed the history of those rogue blogs (the first generation have dates in April of 2009) and how most of them (90%+) were found on Servage network. In the third article, I wrote about the internals of those rogue blogs and their malicious features.
A few days ago I found a new generation of rogue blogs on Servage network.
Here are the details …
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
