Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Update on Htaccess Redirects of osCommerce Sites

19 Nov 10   Filed in Short Attack Reviews with 7 Comments

This is just a short update on the .htaccess redirect attack that I wrote about last month.

I can still see many sites (mainly osCommerce-powered) that redirect search traffic to malicious sites. However, the pattern of the redirect URLs has changed.
continue »»

Htaccess Redirect to

14 Oct 10   Filed in Website exploits with 8 Comments

Having read the Sucuri’s article about the kirm-sky .ru attack, I decided to complement it with my own information.

I started to track this website infection back in April. It has been active all these months.
Continue »»

Malware on Hijacked Subdomains. New Trend?

22 May 10   Filed in Website exploits with 28 Comments

Yesterday, Patrick (aka Noxwizard, phpBB support team member) pointed me at the new malware attack that surfaced this week (first mentioned on May 16th).

The attack creates/modifies .htaccess files to redirect site visitors that come from major search engines and popular websites (e.g. Twitter, Facebook, Wikipedia, Flickr, Ebay, etc) to scareware sites that aggressively push fake anti-virus software. The redirects also occur if visitors request unexisting pages or pages that produce server errors.

This .htaccess conditional redirect approach is nothing new. It has been actively exploited by hackers for at least couple of years (and Unmask Parasites does a good job of detecting such redirects). And while the .htaccess code in this particular case has some new features (maybe more about it next time), it isn’t the most interesting thing about this attack.
Continue »»

Tweet Week: Feb 1-7, 2010

07 Feb 10   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

.htaccess hack, attack against PHP sites, IE vulnerability, … »»

Using Wget to Detect Hijacked Search Engine Traffic

07 Apr 09   Filed in Tips and Tricks with Comments Off on Using Wget to Detect Hijacked Search Engine Traffic

Some time ago I had a series of post about the .htaccess exploit that redirected search engine traffic to bogus Antivirus sites.

This sort of exploit is still very wide-spread. Many site owners wonder why Google blacklists their sites when their web pages are absolutely benign and sites mentioned on Google’s Safe Browsing Diagnostic pages have absolutely nothing to do with their site’s content.

Here is an excerpt from a typical Safe Browsing Diagnostic page for an affected site:

Malicious software is hosted on 5 domain(s), including best-antimalware-pro-scan .com/, fastantimalwareproscanner .com/, fullantispywareproscan .com/.

4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including module-antispyware .info/, securedradiostation .cn/, great-antispyware .info/.

When I see multiple antivirus-related domain names in the diagnostics, I almost sure the site has a hacked .htaccess file that redirects search engine traffic to scam sites. Still I need to verify my guess.
Continue »»

Antivirus 360 redirection exploit

19 Dec 08   Filed in Website exploits with 3 Comments
Antivirus 360 exploit

This is a new post in the series about the Antivirus 2009 .htaccess exploit. I want to share some new information on the topic.

Continue »»

Unmasking the Antivirus 2009 .htaccess Exploit.

08 Dec 08   Filed in Website exploits with 16 Comments

In the previous post I described the symptoms of the Antivirus 2009 .htaccess exploit, how to detect it and get rid of it.

This time I’m going to further unmask this exploit and show how it works.

Continue »»

Bogus Antivirus 2009 .htaccess Exploit.

05 Dec 08   Filed in Website exploits with 22 Comments

antivirus 2009 .htacces exploit

Let’s start with the most “popular” exploit of the last week.

I’ve seen dozens of messages all over the web (WordPress forums,, StopBadware discussion group, etc) regarding compromised web sites and why Google blocked them. When I checked them with Unmask Parasites, their reports looked pretty much the same: no title and a chain of four redirects. All those sites were hit by the bogus Antivirus 2009 .htaccess exploit.


  1. Abrupt decrease of search engine traffic. Almost to zero. – always
  2. People complain that when they visit your site, it says their computer is infected with spyware and forces them to install Antivirus 2009, but when you open the site yourself, you don’t see anything suspicious. – if your site visitors care enough to complain
  3. Warnings in google search results that visiting your site may harm a computer. – only if Google has already detected the exploit. This may be a sign of some other exploit as well.
  4. Firefox 3 and Google Chrome browsers wouldn’t let anyone visit your site and warn web surfers that your site is an “attack site”. – only if Google (Firefox uses Google’s base) has already detected the exploit. This may be a sign of some other exploit as well.

Continue »»