msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Millions of Website Passwords Stored in Plain Text in Plesk Panel

26 Jun 12   Filed in General, Hosting+Security with 16 Comments

After the theft of LinkedIn user database, there was a lot of buzz about how unthoughtful it was to store passwords as unsalted SHA-1 hashes.

What can be even worse is storing user passwords in plain text.

Brian Kreb was recently shocked when his hosting provider sent him his password in plain text. He wrote a post about it and made a conclusion that it is quite a common practice among hosting providers and that “naming and shaming may be the only way to change” it.

But why do hosting providers save passwords in plain text? Maybe because most of them don’t invent anything and just rely on web hosting automation programs?
Continue »»

Weak Passwords and Tainted WordPress Widgets

01 Mar 12   Filed in Website exploits with 4 Comments

A few days ago I investigated a hack where the following script was injected into web pages:

<sc ript src="hxxp://www .copytech .lu/js/java.js"></script>

The script was at the very top of the HTML code and in the middle of the page. It was a WordPress site so I suggested to check the index.php and theme files for the malicious code.

The topmost script was indeed in the theme’s index.php file. But theme files didn’t contain the script that I found in the middle of web pages’ HTML code.
Continue »»

Massive Script Injection (k985ytv)

23 Aug 11   Filed in Short Attack Reviews with 1 Comment

I’d like to point webmasters at a great article on the Armorize blog. It is about a new massive script injection attack that seems to have affected a few thousand websites. In my post, I will summarize the information specifically for webmasters.
Continue »»

Thousands of Hacked Sites Seriously Poison Google Image Search Results

05 May 11   Filed in Website exploits with 47 Comments

This investigation began a few weeks ago, when I came across the following two threads in website security forums:

[badwarebusters.org] Lately I have been seeing a huge increase in the number of hacked sites appearing on google image search results that redirect to a fake Av scanner. more »»

[Google Webmaster Help] google image search results often has multiple infected / malware sites on the first SERP page. more »»

This is a well known problem. I blogged about such SEO poisoning attacks several times here. This time I decided to check what’s behind the reported increase in malicious image search results.
Continue »»

Tweet Week: April 11-17, 2011

18 Apr 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

DMCA, Flash zero day, Avast glitch, imgaaa attack, Qubes OS …

Unused Programs – Real Threats

13 Apr 11   Filed in Tips and Tricks, Website exploits with 1 Comment

Recently, I helped one company to remediate security problems with their four websites. It was quite an usual iframe injection attack. FTP logs clearly showed how attackers used FTP to infect legitimate files on server. So the question was, how could FTP credentials be stolen?

Of course, I pointed them to my blog post where I described how malware stole passwords and all the login details saved in 10 most popular FTP clients (e.g. Filezilla, CuteFTP, Total Commander, etc.). Indeed, recent malware scan revealed two suspicious items on their computer. One of them was identified as “Spyware.Passwords“. The only problem was the site owner said they didn’t use those FTP clients and kept all passwords in KeePass. Moreover, they manages 50 websites and only four of them got infected.

The answer became quite clear when they found an old copy of SmartFTP on their computer. There had been 5 FTP account (including passwords) saved there. Four of them were the four hacked sites! So what about the fifth? No doubt all five site credentials had been stolen, but the fifth site wasn’t hacked because its password had been changed after the last use of SmartFTP — so the stolen password was not valid by the moment of the hacker attack. This also explains why the rest 45 sites were not hacked — their passwords weren’t stolen.

Lesson learned

Not only should you avoid saving passwords in your current FTP client, but also make sure they are not saved in old programs that may still reside on your computer.

Related posts:

Update on redef_colors/createCSS attack: PHP code, Backdoors and osCommerce.

07 Apr 11   Filed in Website exploits with 4 Comments

A few days ago, I blogged about the hacker attack that used the BlackHole toolkit and injected “createRSS” and “defs_colors” malicious scripts into legitimate websites. I’ve worked with a few webmasters of infected sites since then and now have some important additional information that I want to share here.
Continue »»

BlackHole: defs_colors and createCSS Injections

24 Mar 11   Filed in Website exploits with 1 Comment

This is a review of the malware injection attack that I see quite often lately.

On Safe Browsing diagnostic pages, infected sites usually mention the following domains:

Malicious software is hosted on 4 domain(s), including new-solomon .cz.cc/, newsalamandra .cz.cc/, banpox .cz.cc/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chadon .nl/, 75.127.108 .0/.

In intermediaries, they usually include chadon .nl, corkit .co, tongho.co.th and some IP address.

On infected sites, I found various modification of a script that generally looks like this:
Continue »»

Two Tweet Weeks: December 6-19, 2010

20 Dec 10   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

New Google’s warnings for compromised websites, WordPress 3.03, stolen passwords, malicious add, security tips »»

Two Tweet Weeks: October 4 – October 17, 2010

18 Oct 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

BLADE vs drive-by infections, passwords in browsers, Adobe massive update, more alerts for network admins »»