Thousands of Hacked Sites Seriously Poison Google Image Search Results
This investigation began a few weeks ago, when I came across the following two threads in website security forums:
[badwarebusters.org] Lately I have been seeing a huge increase in the number of hacked sites appearing on google image search results that redirect to a fake Av scanner. more »»
[Google Webmaster Help] google image search results often has multiple infected / malware sites on the first SERP page. more »»
This is a well known problem. I blogged about such SEO poisoning attacks several times here. This time I decided to check what’s behind the reported increase in malicious image search results.
Continue »»
Update on redef_colors/createCSS attack: PHP code, Backdoors and osCommerce.
A few days ago, I blogged about the hacker attack that used the BlackHole toolkit and injected “createRSS” and “defs_colors” malicious scripts into legitimate websites. I’ve worked with a few webmasters of infected sites since then and now have some important additional information that I want to share here.
Continue »»
Another Update on the osCommerce .htaccess Hack
The osCommerce .htaccess hack that I wrote about here and here is still quite prevalent.
Some webmasters have problems locating the rogue .htaccess files so I decided to address this issue again.
Continue (some new facts included) »»
Tweet Week: May 31 – June 6, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Adobe and Java vulnerabilities, hotlinking, file permissions, $100 million scareware case etc. »»
Spammy Links From Remote Servers
Hidden spammy links injected into web pages on legitimate websites is quite a widespread type of hacker attacks. These parasites try to suck all the “PageRank juice” out of any website they manage to break into and put their shady web pages high in search results.
There are many ways hackers can inject links. They can insert them as plain HTML (will work on most sites) or as an encrypted PHP code (the files should be processed as PHP). Hackers can even use SQL injection on database-driven sites that don’t properly sanitize user input.
Decoupling code from data
Sometimes hackers decouple code from data and inject only some PHP instructions that load spammy links from a standalone file. This makes the construction more flexible since they can simply change the content of that single file whenever they decide to promote a new set of links – no need to update every infected file on a site.
In this post, I’ll show a even more clever way of decoupling code from data.
Continue »»
Internals of Rogue Blogs
Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.
Recently I’ve been contacted by one of Servage clients who found his sites hacked:
I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.
He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.
Continue »»
Tweet Week: March 1-7, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Google notifications, security patches, malicious PHP code … »»
Tweet Week: Feb 1-7, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
.htaccess hack, attack against PHP sites, IE vulnerability, … »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
