Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked site individually. All the URLs had the same format http://<domain-of-a-hacked -site.com>/news/faults-ending.php. For example, hxxp://brewerstire .com/news/faults-ending.php .
This reminded me of another ongoing attack that also rotates iframe URLs in a similar way. However it has some distinguishing features that make it worth it to describe it separately.
Competition in search marketing can be tough. Regardless of number of businesses/products/services relevant to a specific keyword there is only one top position and unless it’s your site at the top you miss out on the hefty share of the search traffic generated by that keyword. The lower the result is displayed the less attention it gets.
Even if you are in “business” of black hat SEO and can use whatever dirty tricks you like, you still can’t guarantee the top position for the most popular keywords since there are already many established reputable sites and other black hats competing for the same keywords. But if you can’t always get the top position, you can still try to make your results look more attractive than the rest and increase their click through rate, right? Right! And this post will be about one of such tricks
October is a cyber security awareness month so lets start it with the most hilarious web security awareness video I’ve ever seen.
It’s a follow up to my post about server-wide iframe injection attack where I asked for any information about that tricky hack. Thanks to my readers and administrators of infected servers I have some new information about it. Now I know how it works and what is infected, but still have no idea how hackers break into servers, so your input is welcome.
This post is a request for information.
This summer I come across some clearly infected servers where I can’t figure out how exactly the hack works and what should be done to clean them up and to protect other servers from similar hacks. So I decided to share my information about the issue and hope someone could shed some light on it.
Here we go »»
What can be even worse is storing user passwords in plain text.
Brian Kreb was recently shocked when his hosting provider sent him his password in plain text. He wrote a post about it and made a conclusion that it is quite a common practice among hosting providers and that “naming and shaming may be the only way to change” it.
But why do hosting providers save passwords in plain text? Maybe because most of them don’t invent anything and just rely on web hosting automation programs?
Today I came across an interesting attack that injects malicious scripts at the very bottom of existing .js files.
Update: at the bottom of this post you’ll find information about how a security hole in Plesk Panel was used to infect websites. Comments are also worth reading.
Update (July 26, 2012): The attack has changed both the injected script and the domain generating algorithm. See details in my follow up article. Information about the Plesk security issues are still can be found in the current post and comments.
The script (surrounded by the /*km0ae9gr6m*/…/*qhk6sa6g1c*/ pair of comments ) looks like this:
Full source code can be found here
On Google diagnostic pages of infected sites you will currently see something like this
Malicious software is hosted on 2 domain(s), including ctonxidjqijsnzny .ru/, znycugibimtvplve .ru/.
I say “currently”, because the most interesting thing about this script is the built-in domain name generator.