Recently, I helped one company to remediate security problems with their four websites. It was quite an usual iframe injection attack. FTP logs clearly showed how attackers used FTP to infect legitimate files on server. So the question was, how could FTP credentials be stolen?
Of course, I pointed them to my blog post where I described how malware stole passwords and all the login details saved in 10 most popular FTP clients (e.g. Filezilla, CuteFTP, Total Commander, etc.). Indeed, recent malware scan revealed two suspicious items on their computer. One of them was identified as “Spyware.Passwords“. The only problem was the site owner said they didn’t use those FTP clients and kept all passwords in KeePass. Moreover, they manages 50 websites and only four of them got infected.
The answer became quite clear when they found an old copy of SmartFTP on their computer. There had been 5 FTP account (including passwords) saved there. Four of them were the four hacked sites! So what about the fifth? No doubt all five site credentials had been stolen, but the fifth site wasn’t hacked because its password had been changed after the last use of SmartFTP — so the stolen password was not valid by the moment of the hacker attack. This also explains why the rest 45 sites were not hacked — their passwords weren’t stolen.
Not only should you avoid saving passwords in your current FTP client, but also make sure they are not saved in old programs that may still reside on your computer.
A few days ago, I blogged about the hacker attack that used the BlackHole toolkit and injected “createRSS” and “defs_colors” malicious scripts into legitimate websites. I’ve worked with a few webmasters of infected sites since then and now have some important additional information that I want to share here.
This is a review of the malware injection attack that I see quite often lately.
On Safe Browsing diagnostic pages, infected sites usually mention the following domains:
Malicious software is hosted on 4 domain(s), including new-solomon .cz.cc/, newsalamandra .cz.cc/, banpox .cz.cc/.
2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chadon .nl/, 75.127.108 .0/.
In intermediaries, they usually include chadon .nl, corkit .co, tongho.co.th and some IP address.
On infected sites, I found various modification of a script that generally looks like this:
Only a few hours after the Friday’s 8.9 earthquake and the consequent tsunami hit Japan, security researchers noticed many poisoned Google search results for this news related searches that redirected web surfers to fake antivirus sites.
This situation nothing new. We’ve seen similarly poisoned search results for Haitian earthquake a year ago, for the recent New Zealand’s earthquake, for last year’s floods in Pakistan, etc.
Many people use search engines to find details about breaking news such as natural disasters, catastrophes, accidents, etc. Such hardly predictable events, have literally zero relevant results before they happen, so during the first few hours after the event almost any site with relevant information have good chances to rank high on Google. This short window when competition is quite light is all cyber-criminal need to have a steady traffic to their breaking new related doorway pages. Then, when every news site and blog add their 2 cents and there are plenty resources about those hot topics, only most reputable and most relevant web pages make it to the top of search results.
I decided to check the poisoned search results and here’s what I found:
Some webmasters have problems locating the rogue .htaccess files so I decided to address this issue again.
Continue (some new facts included) »»
This is the time of the year when online sellers do their best to attract herds of holiday shoppers. Software pirates are no different. They offer huge discounts (up to 95%) for popular and expensive software products and provide user-friendly online stores. They even made their sites one step closer to you!
Having read the Sucuri’s article about the kirm-sky .ru attack, I decided to complement it with my own information.
I started to track this website infection back in April. It has been active all these months.