Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Hackers Turn Legitimate Websites into Underground Software Stores

10 Dec 10   Filed in Website exploits with 2 Comments

This is the time of the year when online sellers do their best to attract herds of holiday shoppers. Software pirates are no different. They offer huge discounts (up to 95%) for popular and expensive software products and provide user-friendly online stores. They even made their sites one step closer to you!
Continue »»

Two Malware Trends Combined in One Attack

06 Oct 10   Filed in Website exploits with 8 Comments

Two of the major trends in malware attacks described on this blog this summer were the use of hijacked DNS records of legitimate domains and continuous attacks against sites on MediaTemple and RackSpace. In the end of this September, I noticed a new attack that combined these two trends.

At higher level, this attack is no different from many preceding variations that hit MediaTemple. It prepends malicious code to the first line of some existing .js files or injects it inside the <ads>…</ads> tags at the bottom of HTML code of legitimate web pages.

However, soon you notice new techniques.
Continue »»

Tweet Week: June 14-20, 2010

21 Jun 10   Filed in Tweet Week with Comments Off on Tweet Week: June 14-20, 2010

Selected short messages and links you might have missed if you don’t follow me on Twitter.

RackSpace WordPress issue, WordPress 3.0, keyloggers + pastebin »»

Internals of Rogue Blogs

17 Mar 10   Filed in Website exploits with 4 Comments

Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.

Recently I’ve been contacted by one of Servage clients who found his sites hacked:

I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.

He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.
Continue »»

Gumblar Breaks WordPress blogs and other complex PHP sites

04 Nov 09   Filed in Website exploits with 16 Comments

Not only iframe infections can corrupt websites. It appears that the current version of Gumbar effectively breaks WordPress blogs.
Here’s the story »»

Tweet Week: Oct 26 – Nov 1, 2009

01 Nov 09   Filed in Tweet Week with Comments Off on Tweet Week: Oct 26 – Nov 1, 2009

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Oct 26, 2009

[link:Sophos blog] New type of hidden malicious iframes

Oct 28, 2009

[milestone] 50 blog posts on (in less than a year)

Security updates are available for Firefox 3/3.5 and Opera 10. Make sure to update your browser ASAP

Oct 30, 2009

I published a “beta” of my Practical Guide to Dealing With Google’s Malware Warnings – need your feedback. Thanks

[] How to find a backdoor in a hacked WordPress – great article

Oliver Fisher (Google Anti-Malware) on Google’s automates malware scanners and warnings

If you want more real-time experience, you can follow @unmaskparasites on Twitter.

Similar posts:

Revenge of Gumblar Zombies

23 Oct 09   Filed in Website exploits with 50 Comments

Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.

The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.
Continue »»

Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)

18 Jun 09   Filed in Website exploits with 24 Comments

There has not been much buzz about the recent Beladen attack. Although some sources estimated 40,000 infected web sites, it was clearly not as prominent as the Gumblar. To my mind, it’s because of the elusive nature of the Beladen exploit. It is very difficult to detect. It works intermittently. Only a small percentage of site visitors are exposed to malicious content. Many security scanners just overlook it.  Most likely the spread of this attack is underestimated.

In this post, I’ll list every fact I know about the Beladen exploit and hope you will add any missing information in the comments. This format proved to be very fruitful in my recent post about the Gumblar exploit where your 150+ comments made my article the most informative online resource about that attack that most other sites (including major media) referred to.

I hope the information you will find here can help site owners and hosting providers understand the nature of the exploit and get rid of it.
Continue »»