Tweet Week: May 31 – June 6, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Adobe and Java vulnerabilities, hotlinking, file permissions, $100 million scareware case etc. »»
Spammy Links From Remote Servers
Hidden spammy links injected into web pages on legitimate websites is quite a widespread type of hacker attacks. These parasites try to suck all the “PageRank juice” out of any website they manage to break into and put their shady web pages high in search results.
There are many ways hackers can inject links. They can insert them as plain HTML (will work on most sites) or as an encrypted PHP code (the files should be processed as PHP). Hackers can even use SQL injection on database-driven sites that don’t properly sanitize user input.
Decoupling code from data
Sometimes hackers decouple code from data and inject only some PHP instructions that load spammy links from a standalone file. This makes the construction more flexible since they can simply change the content of that single file whenever they decide to promote a new set of links – no need to update every infected file on a site.
In this post, I’ll show a even more clever way of decoupling code from data.
Continue »»
Internals of Rogue Blogs
Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.
Recently I’ve been contacted by one of Servage clients who found his sites hacked:
I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.
He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.
Continue »»
Tweet Week: March 1-7, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Google notifications, security patches, malicious PHP code … »»
Tweet Week: Feb 1-7, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
.htaccess hack, attack against PHP sites, IE vulnerability, … »»
Rogue blogs redirect search traffic to bogus AV sites. Part 1.
As I tweeted a few days ago, I gathered a lot of interesting information about this case. So to make the post readable, I’ve broken it down into two parts. The first part is about how rogue blogs work, and the second part is about different generations of this black hat campaign and about the connection with Servage hosting provider.
A few days ago, I stumbled upon a great post where guys from Cyveillance blog wrote about a massive Google search results poisoning. Well worth reading.
Here is a brief summary of their post followed by my own findings »»
Gumblar Breaks WordPress blogs and other complex PHP sites
Not only iframe infections can corrupt websites. It appears that the current version of Gumbar effectively breaks WordPress blogs.
Here’s the story »»
Revenge of Gumblar Zombies
Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.
The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.
Continue »»
“Cheap Vista” or Cloaked Spam on High-Profile Sites
In this post, I’ll show how cybercriminals used hacked high-profile sites to drive search traffic to online stores that sell pirated copies of popular software and, presumably, steal credit card details.
I’ve been watching this sort of search spam for more than a year now. And after this post in Google’s Webmaster Help forum, I decided to take a closer look at this this problem.
Continue »»
Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.
I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.
I discovered this attack when checked Unmask Parasites logs. I noticed that many unrelated websites contained the same suspicious script so I decided to investigate this issue. The investigation is not complete yet but I think the information I’ve already collected will be useful for owners of compromised web sites. And I hope the missing parts will be added by you, the readers. Update ( July 27, 2009) : the comments are really very informative. make sure to read them.
Continue »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
