msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Rotating Iframe URLs – One a Minute

11 May 13   Filed in Website exploits with 2 Comments

Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked site individually. All the URLs had the same format http://<domain-of-a-hacked -site.com>/news/faults-ending.php. For example, hxxp://brewerstire .com/news/faults-ending.php .

This reminded me of another ongoing attack that also rotates iframe URLs in a similar way. However it has some distinguishing features that make it worth it to describe it separately.
Continue »»

Lorem Ipsum and Twitter Trends in Malware

26 Jan 12   Filed in Website exploits with 5 Comments

A couple of years ago I wrote about malware attacks that used Twitter API to generate domain names for their malicious sites using trending topics as keys in the domain generating algorithm.

  • Each domain was in use for a few hours only
  • The next domain names would become available just a few hours before the malicious scripts on hacked sites begin to use them.

Since 2009, I’ve seen many revisions of that attack. It has never been the most prevalent issue but as far as I can tell it constantly evolves and mutates. The recent update of the malicious script injected by this attack looked quite interesting and I decided to find out what has changed since late 2009.
Continue »»

Tweet Week: July 12-18, 2010

18 Jul 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

nginx as reverse proxy, WP redirects on MediaTemple, Image search spam … »»

Evict Hackers

30 Dec 09   Filed in General with 1 Comment

Last week, I wrote about the latest mutation of the website hack that has been active (mostly in form of iframe injection) throughout this year. I mentioned that for some reason all malicious domain names had been mapped to IP addresses on LeaseWeb and OVH networks. Moreover, LeaseWeb hosted a central site mdvhost .com (hidden behind reverse-proxies) for at least 3 months.
LeaseWeb reaction »»

Dynamic DNS and Botnet of Zombie Web Servers

11 Sep 09   Filed in Website exploits with 44 Comments

It’s always interesting to watch how malware attacks evolve over time.

Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.

  • They started with gambling-related .cn domains (like cheapslotplay .cn).
  • They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
  • They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
  • They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
  • In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
  • And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.

Here are the details »»