msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

What’s in your wp-head?

11 Jul 12   Filed in Website exploits with 6 Comments

I first came across this attack in late May of 2012. It had quite a recognizable and frequently updated type of malicious JavaScript code injected in the <head> section of WordPress blogs and iframe URLs generated by this script always ended with top2.html (now rem2.html)

It was a massive infection and many webmasters asked me to help them clean up their sites. I told them how to search for various pattern of malicious files and asked them to provide me with access logs and samples of the malicious code they found on their servers.

At first the hack looked quite mysterious:

  • Webmasters sent me many backdoor files but none of them contained the malicious code I saw in infected web pages.
  • In theme files, the <head> section didn’t contain any malicious code at all.
  • While access logs showed some successful TimThumb attacks, I didn’t see requests to backdoors that updated the malicious code injected into the <head> section (and that code somehow changed every day).
  • And the script injection was quite hard to track since it would usually disappear after the first check. You couldn’t tell whether webmasters really cleaned their sites up or the malware was simply hiding from you.

The mystery was solved when I got access to one of the infected sites.
Continue »»

Runforestrun and Pseudo Random Domains

22 Jun 12   Filed in Short Attack Reviews with 94 Comments

Today I came across an interesting attack that injects malicious scripts at the very bottom of existing .js files.

Update: at the bottom of this post you’ll find information about how a security hole in Plesk Panel was used to infect websites. Comments are also worth reading.

Update (July 26, 2012): The attack has changed both the injected script and the domain generating algorithm. See details in my follow up article. Information about the Plesk security issues are still can be found in the current post and comments.

The script (surrounded by the /*km0ae9gr6m*/…/*qhk6sa6g1c*/ pair of comments ) looks like this:

km0ae9gr6m script qhk6sa6g1c

Full source code can be found here

On Google diagnostic pages of infected sites you will currently see something like this

Malicious software is hosted on 2 domain(s), including ctonxidjqijsnzny .ru/, znycugibimtvplve .ru/.

I say “currently”, because the most interesting thing about this script is the built-in domain name generator.
Continue »»

Tweet Week: November 1-7, 2010

08 Nov 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

ProFTPD, OpenX, reporting webspam, cross-platform malware … »»

Tweet Week: Dec 28, 2009 – Jan 3, 2010

03 Jan 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Dec 28, 2009

LeaseWeb seems to have removed malicious servers from its network after my blog post about the “GNU GPL” scripts. (OVH still hosts hackers)

Dec 30, 2009

Good Guys Bring Down the Mega-D Botnet – respect @FireEye !

Jan 2, 2010

Microsoft confirms IIS hole

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

Evict Hackers

30 Dec 09   Filed in General with 1 Comment

Last week, I wrote about the latest mutation of the website hack that has been active (mostly in form of iframe injection) throughout this year. I mentioned that for some reason all malicious domain names had been mapped to IP addresses on LeaseWeb and OVH networks. Moreover, LeaseWeb hosted a central site mdvhost .com (hidden behind reverse-proxies) for at least 3 months.
LeaseWeb reaction »»

Tweet Week: Dec 21-27, 2009

28 Dec 09   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Dec 23, 2009

Christmas theme: who-is-santa-2010 (dot) com – domain name of one scareware site

Dec 24, 2009

Response to my blog post from LeaseWeb

Dec 25, 2009

Sophos on the “GNU GPL” malicious script (Troj/JSRedir-AK)

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Similar posts:

From Hidden Iframes to Obfuscated Scripts

23 Dec 09   Filed in Website exploits with 52 Comments

In December, I noticed that ubiquitous hidden iframes that have been the prevailing site hack this year seemed to have gone. Unmask Parasites finds them on very few sites now. And even on infected sites, I see only old domains, while this attack is known for introducing at least one new domain every day and for frequently updating the iframe code on infected sites.

At the same time I noticed a new type of obfuscated scripts injected into hacked websites. And I believe it’s a new incarnation of the same attack that previously injected hidden iframes.
Here’s the story »»