msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Two Tweet Weeks: August 8-21, 2011

22 Aug 11   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

TimThumb attacks, program for responsible hosting providers, analyses of black hat SEO campaigns, osCommerce tips, 4 years of Safe Browsing data »»

Two Tweet Weeks: July 25 – August 7, 2011

08 Aug 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Crisis in Fake AV industry, story about incompetent security auditor, zero-day in WordPress themes, osCommerce hack, and many more »»

Update on redef_colors/createCSS attack: PHP code, Backdoors and osCommerce.

07 Apr 11   Filed in Website exploits with 4 Comments

A few days ago, I blogged about the hacker attack that used the BlackHole toolkit and injected “createRSS” and “defs_colors” malicious scripts into legitimate websites. I’ve worked with a few webmasters of infected sites since then and now have some important additional information that I want to share here.
Continue »»

Versatile .CC Attacks

02 Mar 11   Filed in Website exploits with 28 Comments

A few days ago I tweeted that “this year the most popular TLD for malicious sites is .CC“. I conducted some research on the most prevalent attacks that use the .CC TLD and now want to elaborate on what is going on.
Continue »»

Two Tweet Weeks: January 3 – January 16, 2011

18 Jan 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Black-hat SEO campaigns, PDF dangers, etc.. »»

Another Update on the osCommerce .htaccess Hack

18 Jan 11   Filed in Website exploits with 2 Comments

The osCommerce .htaccess hack that I wrote about here and here is still quite prevalent.

Some webmasters have problems locating the rogue .htaccess files so I decided to address this issue again.
Continue (some new facts included) »»

Tweet Week: November 15-21, 2010

22 Nov 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

StopBadware’s new initiative, Adobe Reader X, osCommerce under attack, … »»

Update on Htaccess Redirects of osCommerce Sites

19 Nov 10   Filed in Short Attack Reviews with 7 Comments

This is just a short update on the .htaccess redirect attack that I wrote about last month.

I can still see many sites (mainly osCommerce-powered) that redirect search traffic to malicious sites. However, the pattern of the redirect URLs has changed.
continue »»

Htaccess Redirect to Example.ru/dir/index.php

14 Oct 10   Filed in Website exploits with 8 Comments

Having read the Sucuri’s article about the kirm-sky .ru attack, I decided to complement it with my own information.

I started to track this website infection back in April. It has been active all these months.
Continue »»

Bety.php Hack. Part 2. Black Hats in Action.

26 Jan 10   Filed in Website exploits with 3 Comments

This is the second article about the hacker attack against osCommerce-powered sites. In the first part, you can find the description of the attack along with detection and clean-up instructions. Now I want to show you what exactly hackers did and how they managed to poison Google search results.

The main goal is to demystify hackers and encourage webmasters to explore their own sites. The more you know about hackers, the better you’ll be at protecting your site against their attacks.

This post is based on the files and access logs of three compromised sites that I received from a webmaster who contacted me a couple of weeks ago.

Quick facts

  1. The attack uses unpatched vulnerability in osCommerce 2.2 that allows an attacker to upload arbitrary files to compromised servers using a security hole in file_manager.php.
  2. Only one of the three sites actually uses osCommerse (site-1).The rest two sites had been hacked using access gained via the hacked site-1.

Chronicle of the attack »»