msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Darkleech Update – November 2014

Just wanted to document some latest changes in Darkleech behavior that may help you detect it.

I’d like to thank internet security enthusiasts who share their findings with me. Without you, I could have easily missed these new (?) details.

Quick recap

Darkleech is a root level server infection that installs malicious Apache modules. The modules inject invisible iframes into server response when it is already prepared (linebreaks added for readability).

<style>.a4on6mz5h { position:absolute; left:-1376px; top:-1819px} </style> <div class="a4on6mz5h">
<ifr ame src="hxxp://tfmjst .hopto .org/nsiumkogckv1tv4locfzyv2eykqss9ltfb9wnmhfqz1ol2" width="247" height="557"></ifram e></div>

All the elements of this code are random and auto-generated on the fly (style name, coordinates, iframe diminsions, URL paths). Moreover, the iframe domains change every few minutes — lately hackers prefer free No-IP.com dynamic DNS hostnames like hopto.org, ddns.net, myftp.biz, myftp.org, serveftp.com, servepics.com, etc.

This infection is hard to detect as it only shows up once per IP per day (or maybe even more seldom). And since it works on a low system level, it can detect if server admins are logged in, so it lurks until they log out — this means that they won’t see anything even if they monitor outgoing TCP traffic.

For more details, please check the links at the bottom of this post.
What’s new? »»

Malicious Apache Module Injects Iframes

10 Sep 12   Filed in Short Attack Reviews with 46 Comments

It’s a follow up to my post about server-wide iframe injection attack where I asked for any information about that tricky hack. Thanks to my readers and administrators of infected servers I have some new information about it. Now I know how it works and what is infected, but still have no idea how hackers break into servers, so your input is welcome.
Continue »»

RFI: Server-wide iframe injections

13 Aug 12   Filed in Short Attack Reviews with 10 Comments

This post is a request for information.

This summer I come across some clearly infected servers where I can’t figure out how exactly the hack works and what should be done to clean them up and to protect other servers from similar hacks. So I decided to share my information about the issue and hope someone could shed some light on it.
Here we go »»

Tweet Week: August 22-28, 2011

29 Aug 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

TimThumb attacks, We Stop Badware Host program, blog scrapers, Apache DOS and workaround »»

Doorways on Non-default Ports — New Trend in Black Hat SEO?

03 Dec 10   Filed in Website exploits with 12 Comments

A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)

Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.
Continue »»

Keygenguru .com Hack in Search Results

04 Aug 10   Filed in Website exploits with 1 Comment

Last year I wrote about two elaborate server-wide hacks that hijacked web server (Apache) processes and intermittently served malicious content instead of requested legitimate web pages.

A year later, every now and then I still see servers affected by this sort of hack. I easily recognize recent modification of this attack when I see links to keygenguru .com in Unmask Parasites reports. Those modifications are slightly different from what I described in my goscanpark article. This time not only do the malicious processes serve JavaScript redirect code but also provide some HTML with links to pirated software and movies. This HTML code gets indexed by search engines which helps hackers promote their illegal resources.

Side effect

A side effect of this “black-hat SEO modification” is when people search for domain names of affected sites, they see something like this in search results:
Continue »»

Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)

18 Jun 09   Filed in Website exploits with 24 Comments

There has not been much buzz about the recent Beladen attack. Although some sources estimated 40,000 infected web sites, it was clearly not as prominent as the Gumblar. To my mind, it’s because of the elusive nature of the Beladen exploit. It is very difficult to detect. It works intermittently. Only a small percentage of site visitors are exposed to malicious content. Many security scanners just overlook it.  Most likely the spread of this attack is underestimated.

In this post, I’ll list every fact I know about the Beladen exploit and hope you will add any missing information in the comments. This format proved to be very fruitful in my recent post about the Gumblar exploit where your 150+ comments made my article the most informative online resource about that attack that most other sites (including major media) referred to.

I hope the information you will find here can help site owners and hosting providers understand the nature of the exploit and get rid of it.
Continue »»