Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

FTP Brute Force Attacks?

26 Jun 13   Filed in Website exploits with Comments Off on FTP Brute Force Attacks?

Hacking websites using FTP access has been one of the most popular attack vectors during the last few year. I can still see many massive site infections done via FTP.

In most cases, the first step of such attacks is stealing FTP credentials from local computers of webmasters. Back in 2009, I described how PC malware stole passwords saved in popular FTP clients such as FileZilla, CuteFTP, SmartFTP and many more. This is still a prevailing vector. More exotic password theft methods include keyloggers, FTP traffic sniffing, and stealing user databases of hosting providers who prefer convenience over security and store actual client passwords in plain text or slightly encrypted (instead of storing only hashes of passwords).

If you ask regular webmasters how hackers can break into their server via FTP, many of them will answer that hackers could guess the password (hence the need to have hard-to-guess passwords). Of course, it is hard to guess whatever password at the first attempt, so one might expect to see multiple such attempts (so-called brute force attacks) before a password is cracked and hackers get access to a server. However in real life, I haven’t come across such FTP brute force attacks. Until this month…
Continue »»

Lorem Ipsum and Twitter Trends in Malware. Update.

18 Feb 12   Filed in Website exploits with 4 Comments

A few weeks ago I published an article about an attack that hosted malware on a fast flux network of infected PCs and used a clever algorithm based on Twitter trends to generate four new hard-to-predict domain names every day.

Shortly after that I was contacted by foks, who shared some interesting information. He conducted his own investigation and found out how hackers injected those scripts into legitimate web pages. He also found a new (buggy) version of the malicious script.
Continue »»

Massive Script Injection (k985ytv)

23 Aug 11   Filed in Short Attack Reviews with 1 Comment

I’d like to point webmasters at a great article on the Armorize blog. It is about a new massive script injection attack that seems to have affected a few thousand websites. In my post, I will summarize the information specifically for webmasters.
Continue »»

Thousands of Hacked Sites Seriously Poison Google Image Search Results

05 May 11   Filed in Website exploits with 47 Comments

This investigation began a few weeks ago, when I came across the following two threads in website security forums:

[] Lately I have been seeing a huge increase in the number of hacked sites appearing on google image search results that redirect to a fake Av scanner. more »»

[Google Webmaster Help] google image search results often has multiple infected / malware sites on the first SERP page. more »»

This is a well known problem. I blogged about such SEO poisoning attacks several times here. This time I decided to check what’s behind the reported increase in malicious image search results.
Continue »»

Tweet Week: April 11-17, 2011

18 Apr 11   Filed in Tweet Week with Comments Off on Tweet Week: April 11-17, 2011

Selected short messages and links you might have missed if you don’t follow me on Twitter.

DMCA, Flash zero day, Avast glitch, imgaaa attack, Qubes OS …

Unused Programs – Real Threats

13 Apr 11   Filed in Tips and Tricks, Website exploits with 1 Comment

Recently, I helped one company to remediate security problems with their four websites. It was quite an usual iframe injection attack. FTP logs clearly showed how attackers used FTP to infect legitimate files on server. So the question was, how could FTP credentials be stolen?

Of course, I pointed them to my blog post where I described how malware stole passwords and all the login details saved in 10 most popular FTP clients (e.g. Filezilla, CuteFTP, Total Commander, etc.). Indeed, recent malware scan revealed two suspicious items on their computer. One of them was identified as “Spyware.Passwords“. The only problem was the site owner said they didn’t use those FTP clients and kept all passwords in KeePass. Moreover, they manages 50 websites and only four of them got infected.

The answer became quite clear when they found an old copy of SmartFTP on their computer. There had been 5 FTP account (including passwords) saved there. Four of them were the four hacked sites! So what about the fifth? No doubt all five site credentials had been stolen, but the fifth site wasn’t hacked because its password had been changed after the last use of SmartFTP — so the stolen password was not valid by the moment of the hacker attack. This also explains why the rest 45 sites were not hacked — their passwords weren’t stolen.

Lesson learned

Not only should you avoid saving passwords in your current FTP client, but also make sure they are not saved in old programs that may still reside on your computer.

Related posts:

BlackHole: defs_colors and createCSS Injections

24 Mar 11   Filed in Website exploits with 1 Comment

This is a review of the malware injection attack that I see quite often lately.

On Safe Browsing diagnostic pages, infected sites usually mention the following domains:

Malicious software is hosted on 4 domain(s), including new-solomon, newsalamandra, banpox

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chadon .nl/, 75.127.108 .0/.

In intermediaries, they usually include chadon .nl, corkit .co, and some IP address.

On infected sites, I found various modification of a script that generally looks like this:
Continue »»

Tweet Week: November 1-7, 2010

08 Nov 10   Filed in Tweet Week with Comments Off on Tweet Week: November 1-7, 2010

Selected short messages and links you might have missed if you don’t follow me on Twitter.

ProFTPD, OpenX, reporting webspam, cross-platform malware … »»

Analysis of Gumblar Zombie URLs

29 Jun 10   Filed in General, Website exploits with 3 Comments

As you might know, I maintain and regularly update a list of Gumblar zombie URLs. The main reason why I do it is to help webmasters of compromised sites find relevant information about the source of their problems and the steps required to clean up and secure their sites. I see this pattern quite often, when webmasters find a suspicious script in their web pages and use it in Google searches to find more information about it. On the other hand, this list can also help reveal the security breach of sites that hackers use to host Gumblar zombie scripts.

This week the list has reached the level of 1,000+ URLs. Although it’s just a small part of all Gumblar zombie scripts, this list makes a good base for a quick analysis of Gumblar zombie URLs.
Continue »»

Malware on Hijacked Subdomains. Part 2.

17 Jun 10   Filed in Website exploits with 11 Comments

About a month ago I wrote about a hacker attack that used hijacked subdomains of legitimate websites to serve malware (fake anti-virus software) off of them. Most likely cyber criminals used a phishing attack to steal credentials of GoDaddy’s domain management control panel and created rogue DNS records for some subdomains to make them point to hacker-controlled servers.

In that article I wondered if that was a new trend (usage of virtually free hijacked subdomains) or just temporary approach that wouldn’t be used anywhere else. Well, this week I came across a different malware attack that also uses hijacked subdomains of legitimate websites.
Continue »»