msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Reporting Suspicious Styles

22 Nov 13   Filed in Unmask Parasites with 0 Comments

Back in 2008, the very first task that I created Unmask Parasites for was scanning web pages for hidden links.

I read an article about thousands of WordPress blogs being stuffed with dozens of invisible spammy links. I had a self-hosted WordPress blog too and that article made me think if there was some easy way to figure out whether my blog was hacked, something less laborious than manually examining the HTML code link by link. So I decided to create a tool that would show all domains that my web pages linked to highlighting those of them that had “invisible” styles. This approach has proved to be very efficient in identifying black hat SEO hacks. In most cases, a glance is enough to spot such problems.
Continue »»

Analyzing [Buy Cialis] Search Results

21 Aug 13   Filed in General with 2 Comments

A few days ago I was updating the spammy word highlighting functionality in Unmask Parasites results and needed to test the changes on real websites. To find hacked websites with spammy content I would normally google for [viagra] or [cialis], which are arguably the most targeted keywords used in black hat SEO hacks. However after the Google’s June update in how they rank web pages for spammy queries, I didn’t have much expectation of seeing hacked sites on the first page of search results for my usual [buy cialis] query and was ready to check a few more pages.
Continue »»

Cloaking: Think Outside of [Your] Box

11 Mar 13   Filed in Website exploits with 3 Comments

Cloaking in SEO is defined as a technique in which the content presented to the search engine spider is different from that presented to the user’s browser (Wikipedia). But in case of hacked sites, cloaking is more tricky than just different content for search engines and for real users. It can also be different content for different types of users. Moreover, the internal implementation is usually hidden (cloaked) from webmasters of compromised sites.

This post will be about one of such site hacks that involved SEO cloaking and used quite an interesting trick to alter page content.
Continue »»

/tmp/wp_inc or Not Your Typical WordPress Attack

09 Nov 11   Filed in Website exploits with 21 Comments

This post will provide a very detailed and rather technical description of the latest massive WordPress hack. I find it interesting in many ways. Mainly because it’s so atypical.

If you don’t have time to read the whole article, you can head directly to the short description of the attack and then to the Summary section where I talk about what’s new, strange and uncommon in this attack. Or if you are a webmaster of a hacked blog, go to the “To Webmasters” section – it will help you resolve the problem.
Continue »»

Following the Black Hat SEO Traces

14 Aug 11   Filed in Tips and Tricks, Website exploits with 6 Comments

This is a follow up to my last week’s post about hacked WordPress blogs and poisoned Google Images search results. Cyber-criminals infiltrated 4,000+ self-hosted WP blogs and created doorway pages that would redirect visitors coming from Google Images search to scareware sites. A few days ago I posted a short update to let you know that Google has removed the doorway pages from its index. I also promised to share some new interesting details about that black hat SEO campaign. So here we go!
Continue »»

Doorways on Non-default Ports — New Trend in Black Hat SEO?

03 Dec 10   Filed in Website exploits with 12 Comments

A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)

Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.
Continue »»

Network Solutions and WordPress Security Flaw

11 Apr 10   Filed in Website exploits with 48 Comments

I first noticed this hidden iframe from hxxp://networkads .net/ grep/ on April 7. It instantly drew my attention with these weird “iframe_style” scripts in Unmask Parasites reports (I even thought it was a bug in Unmask Parasites, but when I checked the infected site, I found those scripts there).

weird scripts

However it was a single incident and I didn’t see any obvious pattern back then. Two days later, when I noticed David’s (Sucuri Security) article about this very issue and the follow-up by Brian Krebs, I decided to take a closer look at it. What I found is quite interesting and raises a few serious questions about security of websites on shared servers.
Continue »»

Spammy Links From Remote Servers

07 Apr 10   Filed in Website exploits with 2 Comments

Hidden spammy links injected into web pages on legitimate websites is quite a widespread type of hacker attacks. These parasites try to suck all the “PageRank juice” out of any website they manage to break into and put their shady web pages high in search results.

There are many ways hackers can inject links. They can insert them as plain HTML (will work on most sites) or as an encrypted PHP code (the files should be processed as PHP). Hackers can even use SQL injection on database-driven sites that don’t properly sanitize user input.

Decoupling code from data

Sometimes hackers decouple code from data and inject only some PHP instructions that load spammy links from a standalone file. This makes the construction more flexible since they can simply change the content of that single file whenever they decide to promote a new set of links – no need to update every infected file on a site.

In this post, I’ll show a even more clever way of decoupling code from data.
Continue »»

Tweet Week: March 8-14, 2010

14 Mar 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Security discussions, hidden links in WordPress, new vulnerabilities, StopBadware wants bad URLs, etc. … »»

Security Lesson From a Kenyan Marathon Runner

30 Jun 09   Filed in General with Comments Off

If you have a site/blog but you are not a techie and don’t know much about website security, you might want to read this article written by a Kenyan marathon runner about how his blog was hacked.

He received an email from Google saying that his site had been temporarily removed from search index because it contained hidden spam links and thus violated Google’s guidelines.
Continue »»