msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Malicious Apache Module Injects Iframes

10 Sep 12   Filed in Short Attack Reviews with 46 Comments

It’s a follow up to my post about server-wide iframe injection attack where I asked for any information about that tricky hack. Thanks to my readers and administrators of infected servers I have some new information about it. Now I know how it works and what is infected, but still have no idea how hackers break into servers, so your input is welcome.
Continue »»

RFI: Server-wide iframe injections

13 Aug 12   Filed in Short Attack Reviews with 10 Comments

This post is a request for information.

This summer I come across some clearly infected servers where I can’t figure out how exactly the hack works and what should be done to clean them up and to protect other servers from similar hacks. So I decided to share my information about the issue and hope someone could shed some light on it.
Here we go »»

Tweet Week: Oct 5-11, 2009

11 Oct 09   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Oct 6, 2009

Yet another Beladen/Goscanpark story from a server admin
http://www.linuxquestions.org/questions/linux-security-4/virus-in-a-server-malware-running-randomly-in-all-server-sites.-758806/#post3708050

Story from my blog reader:  60 support tickets and 1,000 screenshots before his hosting provider took action. (His site was hosted on a Goscanpark-infected server)

Oct 8, 2009

Researchers Hijack a Drive-By Botnet – insights from the inside

Oct 9, 2009

I see loads of spammy accounts on CommunityServer-powered sites. Sample Google search: http://www.google.com/search?q=inurl%3Amembers+inurl%3Aaspx+tramadol – they look like hacked

The Cash Factory – All aspects of the iframe-injection attack: spam, trojans, passwords, etc.

Oct 10, 2009

The Malware Warning Review Process – from Google Anti-Malware team

If you want more real-time experience, you can follow @unmaskparasites on Twitter.

Similar posts:

http://www.viruslist.com/en/analysis?pubid=204792083

Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.

23 Jul 09   Filed in Website exploits with 85 Comments

I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.

I discovered this attack when checked Unmask Parasites logs. I noticed that many unrelated websites contained the same suspicious script so I decided to investigate this issue. The investigation is not complete yet but I think the information I’ve already collected will be useful for owners of compromised web sites. And I hope the missing parts will be added by you, the readers. Update ( July 27, 2009) : the comments are really very informative. make sure to read them.
Continue »»

Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)

18 Jun 09   Filed in Website exploits with 24 Comments

There has not been much buzz about the recent Beladen attack. Although some sources estimated 40,000 infected web sites, it was clearly not as prominent as the Gumblar. To my mind, it’s because of the elusive nature of the Beladen exploit. It is very difficult to detect. It works intermittently. Only a small percentage of site visitors are exposed to malicious content. Many security scanners just overlook it.  Most likely the spread of this attack is underestimated.

In this post, I’ll list every fact I know about the Beladen exploit and hope you will add any missing information in the comments. This format proved to be very fruitful in my recent post about the Gumblar exploit where your 150+ comments made my article the most informative online resource about that attack that most other sites (including major media) referred to.

I hope the information you will find here can help site owners and hosting providers understand the nature of the exploit and get rid of it.
Continue »»