msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Keygenguru .com Hack in Search Results

04 Aug 10   Filed in Website exploits with 1 Comment

Last year I wrote about two elaborate server-wide hacks that hijacked web server (Apache) processes and intermittently served malicious content instead of requested legitimate web pages.

A year later, every now and then I still see servers affected by this sort of hack. I easily recognize recent modification of this attack when I see links to keygenguru .com in Unmask Parasites reports. Those modifications are slightly different from what I described in my goscanpark article. This time not only do the malicious processes serve JavaScript redirect code but also provide some HTML with links to pirated software and movies. This HTML code gets indexed by search engines which helps hackers promote their illegal resources.

Side effect

A side effect of this “black-hat SEO modification” is when people search for domain names of affected sites, they see something like this in search results:
Continue »»

Tweet Week: Oct 5-11, 2009

11 Oct 09   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Oct 6, 2009

Yet another Beladen/Goscanpark story from a server admin
http://www.linuxquestions.org/questions/linux-security-4/virus-in-a-server-malware-running-randomly-in-all-server-sites.-758806/#post3708050

Story from my blog reader:  60 support tickets and 1,000 screenshots before his hosting provider took action. (His site was hosted on a Goscanpark-infected server)

Oct 8, 2009

Researchers Hijack a Drive-By Botnet – insights from the inside

Oct 9, 2009

I see loads of spammy accounts on CommunityServer-powered sites. Sample Google search: http://www.google.com/search?q=inurl%3Amembers+inurl%3Aaspx+tramadol – they look like hacked

The Cash Factory – All aspects of the iframe-injection attack: spam, trojans, passwords, etc.

Oct 10, 2009

The Malware Warning Review Process – from Google Anti-Malware team

If you want more real-time experience, you can follow @unmaskparasites on Twitter.

Similar posts:

http://www.viruslist.com/en/analysis?pubid=204792083

Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.

23 Jul 09   Filed in Website exploits with 85 Comments

I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.

I discovered this attack when checked Unmask Parasites logs. I noticed that many unrelated websites contained the same suspicious script so I decided to investigate this issue. The investigation is not complete yet but I think the information I’ve already collected will be useful for owners of compromised web sites. And I hope the missing parts will be added by you, the readers. Update ( July 27, 2009) : the comments are really very informative. make sure to read them.
Continue »»