msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Update on redef_colors/createCSS attack: PHP code, Backdoors and osCommerce.

07 Apr 11   Filed in Website exploits with 4 Comments

A few days ago, I blogged about the hacker attack that used the BlackHole toolkit and injected “createRSS” and “defs_colors” malicious scripts into legitimate websites. I’ve worked with a few webmasters of infected sites since then and now have some important additional information that I want to share here.
Continue »»

BlackHole: defs_colors and createCSS Injections

24 Mar 11   Filed in Website exploits with 1 Comment

This is a review of the malware injection attack that I see quite often lately.

On Safe Browsing diagnostic pages, infected sites usually mention the following domains:

Malicious software is hosted on 4 domain(s), including new-solomon .cz.cc/, newsalamandra .cz.cc/, banpox .cz.cc/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chadon .nl/, 75.127.108 .0/.

In intermediaries, they usually include chadon .nl, corkit .co, tongho.co.th and some IP address.

On infected sites, I found various modification of a script that generally looks like this:
Continue »»

Major Disasters in Poisoned Search Results

14 Mar 11   Filed in Website exploits with 4 Comments

Only a few hours after the Friday’s 8.9 earthquake and the consequent tsunami hit Japan, security researchers noticed many poisoned Google search results for this news related searches that redirected web surfers to fake antivirus sites.

This situation nothing new. We’ve seen similarly poisoned search results for Haitian earthquake a year ago, for the recent New Zealand’s earthquake, for last year’s floods in Pakistan, etc.

Many people use search engines to find details about breaking news such as natural disasters, catastrophes, accidents, etc. Such hardly predictable events, have literally zero relevant results before they happen, so during the first few hours after the event almost any site with relevant information have good chances to rank high on Google. This short window when competition is quite light is all cyber-criminal need to have a steady traffic to their breaking new related doorway pages. Then, when every news site and blog add their 2 cents and there are plenty resources about those hot topics, only most reputable and most relevant web pages make it to the top of search results.

I decided to check the poisoned search results and here’s what I found:
Continue »»

Versatile .CC Attacks

02 Mar 11   Filed in Website exploits with 28 Comments

A few days ago I tweeted that “this year the most popular TLD for malicious sites is .CC“. I conducted some research on the most prevalent attacks that use the .CC TLD and now want to elaborate on what is going on.
Continue »»

Another Update on the osCommerce .htaccess Hack

18 Jan 11   Filed in Website exploits with 2 Comments

The osCommerce .htaccess hack that I wrote about here and here is still quite prevalent.

Some webmasters have problems locating the rogue .htaccess files so I decided to address this issue again.
Continue (some new facts included) »»

Injected Script Loads Host.exe Using Hidden Iframes and Java Applets

Today, I can see many blacklisted sites where Google report one of the following three domains as a source of the problem:

  • aubreyserr .com
  • medien-verlag .de
  • yennicq .be

E.g.

Malicious software is hosted on 1 domain(s), including medien-verlag.de/.

The attack is quite interesting so I decided to share results of my initial investigation here.
Continue »»

Hackers Turn Legitimate Websites into Underground Software Stores

10 Dec 10   Filed in Website exploits with 2 Comments

This is the time of the year when online sellers do their best to attract herds of holiday shoppers. Software pirates are no different. They offer huge discounts (up to 95%) for popular and expensive software products and provide user-friendly online stores. They even made their sites one step closer to you!
Continue »»

Doorways on Non-default Ports — New Trend in Black Hat SEO?

03 Dec 10   Filed in Website exploits with 12 Comments

A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)

Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.
Continue »»

Htaccess Redirect to Example.ru/dir/index.php

14 Oct 10   Filed in Website exploits with 8 Comments

Having read the Sucuri’s article about the kirm-sky .ru attack, I decided to complement it with my own information.

I started to track this website infection back in April. It has been active all these months.
Continue »»

Two Malware Trends Combined in One Attack

06 Oct 10   Filed in Website exploits with 8 Comments

Two of the major trends in malware attacks described on this blog this summer were the use of hijacked DNS records of legitimate domains and continuous attacks against sites on MediaTemple and RackSpace. In the end of this September, I noticed a new attack that combined these two trends.

At higher level, this attack is no different from many preceding variations that hit MediaTemple. It prepends malicious code to the first line of some existing .js files or injects it inside the <ads>…</ads> tags at the bottom of HTML code of legitimate web pages.

However, soon you notice new techniques.
Continue »»