Hackers target unpatched WooFramework
When Michael VanDeMar mentioned the malicious “googlesafebrowsing .com” domain, I decided to check how exactly it was used in malware attacks. It’s quite a popular trick to mimic Google’s own domains to make malicious code look legitimate. I have a “collection” of several dozens on misspelled Google Analytics domains alone that were used for malware distribution. In this case, the domain name was made up rather than misspelled. It referres to Google’s Safe Browsing project and their diagnostic pages that actually use the google.com domain (as most other Google’s services).
Continue »»
BlackHole: defs_colors and createCSS Injections
This is a review of the malware injection attack that I see quite often lately.
On Safe Browsing diagnostic pages, infected sites usually mention the following domains:
Malicious software is hosted on 4 domain(s), including new-solomon .cz.cc/, newsalamandra .cz.cc/, banpox .cz.cc/.
2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chadon .nl/, 75.127.108 .0/.
In intermediaries, they usually include chadon .nl, corkit .co, tongho.co.th and some IP address.
On infected sites, I found various modification of a script that generally looks like this:
Continue »»
EMI Server Hacked
EMI Music is one of the world’s leading music companies with many successful record labels and signed popular artists that include The Beatles, Depeche Mode, Gorillaz, Iron Maiden, Kylie Minogue, Pink Floyd, Queen, Snoop Dogg and many more. They have their own web hosting subsidiary EMIHosting.com that provides web space for EMI’s websites and many official websites of EMI artists.
In the beginning of this September EMI Hositng.com was attacked by hackers. As a result more than a hundred websites on a server with IP address of 195 .225 .83 .57 have been infected with a malicious iframe. Google’s diagnostics page for AS34401 (EMIMUSICGROUP) says:
Continue »»
Network Solutions and WordPress Security Flaw
I first noticed this hidden iframe from hxxp://networkads .net/ grep/ on April 7. It instantly drew my attention with these weird “iframe_style” scripts in Unmask Parasites reports (I even thought it was a bug in Unmask Parasites, but when I checked the infected site, I found those scripts there).
However it was a single incident and I didn’t see any obvious pattern back then. Two days later, when I noticed David’s (Sucuri Security) article about this very issue and the follow-up by Brian Krebs, I decided to take a closer look at it. What I found is quite interesting and raises a few serious questions about security of websites on shared servers.
Continue »»
Tweet Week: Nov 2-8, 2009
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Nov 2, 2009
Mal/Iframe-N: Another winning infection? – Sophos on malicious iframes (with references to my blog posts)
Nov 3, 2009
[link:cantonbecker.com] How to search for ‘backdoors’ in a hacked WordPress site
Nov 5, 2009
Story about Gumblar breaking WordPress on The New York Times site – based on my latest blogpost. Thanks @bobmcmillan
[link:h-online.com] new security patches for Java and Shockwave Player
Nov 6, 2009
SCMagazine mentions my blog in their article “Gumblar site infections return, WordPress among affected“
Found an AdSense ad that offers to download pirated version of Avast Pro (probably infected). Reported it to Google. (lifeplain .com is a scam)
If you want more real-time experience, you can follow @unmaskparasites on Twitter.
Similar posts:
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
