msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Rotating Iframe URLs – One a Minute

11 May 13   Filed in Website exploits with 2 Comments

Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked site individually. All the URLs had the same format http://<domain-of-a-hacked -site.com>/news/faults-ending.php. For example, hxxp://brewerstire .com/news/faults-ending.php .

This reminded me of another ongoing attack that also rotates iframe URLs in a similar way. However it has some distinguishing features that make it worth it to describe it separately.
Continue »»

Malware Piggybacks on Automatic WordPress Updates

02 May 12   Filed in Website exploits with 5 Comments

Most WordPress bloggers know the “Always keep your WordPress blog up-to-date” mantra. To make upgrades painless, WordPress developers introduced the “Automatic Update” features in version 2.7. A blog admin only needs to visit the “Update WordPress” page (Tools -> Update) and click on the “Update Automatically” button. That’s it! Easy!

Sometimes I see how webmasters misinterpret the importance of upgrades for WordPress security. They expect that if they upgrade a hacked blog, it will immediately become clean and secure. Unfortunately it doesn’t work this way. Upgrades can only clean core WordPress files, leaving backdoors, infected themes, plugins and database records intact. That’s why it is important to clean up your site before the upgrade.

Moreover, a few days ago I came across a new massive infection (more than 1,000 currently known infected blogs) that hijacks the “Automatic Update” feature and makes it the event that triggers blog re-infection.
Continue »»

Why Does Google Consider Some Images Malicious?

18 Nov 11   Filed in Tips and Tricks with 2 Comments

The other day I received an email from a webmaster whose site was blacklisted by Google. In Webmaster Tools, he found the following example of a malicious code detected on his site (domain changed):

<img src="http://example .net/images/logos/rssicon.png" />

So why did Google think this image tag was malicious? Can images be malicious? After all they are not scripts, iframes or embedded executable objects that that hackers use to attack web surfers.
Continue »»

Following the Black Hat SEO Traces

14 Aug 11   Filed in Tips and Tricks, Website exploits with 6 Comments

This is a follow up to my last week’s post about hacked WordPress blogs and poisoned Google Images search results. Cyber-criminals infiltrated 4,000+ self-hosted WP blogs and created doorway pages that would redirect visitors coming from Google Images search to scareware sites. A few days ago I posted a short update to let you know that Google has removed the doorway pages from its index. I also promised to share some new interesting details about that black hat SEO campaign. So here we go!
Continue »»

Ciscotred .cz .cc – Joomla Hack

08 Aug 11   Filed in Short Attack Reviews with 5 Comments

During the last few days I’ve noticed an increased number of websites that redirect search traffic to ciscotred .cz .cc. The typical Unmask Parasites report looks like this:

ciscotred .cz.cc redirect detected

Continue »»

Hacked WordPress Blogs Poison Google Images

05 Aug 11   Filed in Website exploits with 12 Comments

After a series of posts about Google Image poisoning campaigns that used hot-linked images a main trick to get top positions in search results, I’d like to describe a different Google Image poisoning attack that affects WordPress blogs and uses self-hosted images.
Continue »»

Google Image Poisoning. What’s New in June?

29 Jun 11   Filed in Website exploits with 3 Comments

This is the second (more techie) part in the series of posts about a new wave of the Google Image poisoning attack. This part will heavily refer to the detailed description of the attack that I made back in May. Most of the aspects are still true so I will only talk about changes here. If you want to have a complete picture, I suggest that you read the original description first.

Changed doorway behavior

After May 18th, I noticed that doorway pages no longer redirected me anywhere when I clicked on poisoned search results. Neither to bad sites nor to home pages of compromised sites. Instead they displayed the spammy content generated for search engine crawlers only.

That was strange. That could never happen if the old algorithm was still in use.

Then I checked the cache directories (./.log/compromiseddomain.com/) and found new maintenance files there: don.txt and xml.txt. The don.txt file contained HTML template of spammy pages and was a replacement for the shab100500.txt file used by the original algorithm. The xml.txt contained the following string: bG92ZS1ibG9nY29tLm5ldA==, which decoded (base64) to “love-blogcom.net“. It was clear it was a more secure replacement for xmlrpc.txt that stored the domain name of a remote malicious server in plain text.

A few days later, the xml.txt files was replaced by xml.cgi, which was a clever step since .cgi files produce server errors when you try to open them in directories that aren’t configured to execute CGI scripts.

So I knew that the doorway script was updated, but I couldn’t understand why the doorways exhibited no malicious behavior when I clicked on hijacked image search results. That didn’t make much sense. What was the purpose of showing those spammy unintelligible pages without trying to monetize the traffic? The only plausible idea was they were playing the “long game” and needed some time to have the new pages rank well without risks of being identified as cloaked or malicious content, and when many pages reach prominent positions in search results they’ll start redirect web searchers to bad sites. Well, that was a working hypothesis until I got the source code of the new doorway script. The reality is crooks don’t want to play “long games” if they can monetize right away – the new doorway pages did redirect to bad site but my virtual environment wasn’t properly configured to trigger the redirects.
Continue – Dissecting the updated Google Image poisoning attack »»

Thousands of Hacked Sites Seriously Poison Google Image Search Results

05 May 11   Filed in Website exploits with 47 Comments

This investigation began a few weeks ago, when I came across the following two threads in website security forums:

[badwarebusters.org] Lately I have been seeing a huge increase in the number of hacked sites appearing on google image search results that redirect to a fake Av scanner. more »»

[Google Webmaster Help] google image search results often has multiple infected / malware sites on the first SERP page. more »»

This is a well known problem. I blogged about such SEO poisoning attacks several times here. This time I decided to check what’s behind the reported increase in malicious image search results.
Continue »»

Major Disasters in Poisoned Search Results

14 Mar 11   Filed in Website exploits with 4 Comments

Only a few hours after the Friday’s 8.9 earthquake and the consequent tsunami hit Japan, security researchers noticed many poisoned Google search results for this news related searches that redirected web surfers to fake antivirus sites.

This situation nothing new. We’ve seen similarly poisoned search results for Haitian earthquake a year ago, for the recent New Zealand’s earthquake, for last year’s floods in Pakistan, etc.

Many people use search engines to find details about breaking news such as natural disasters, catastrophes, accidents, etc. Such hardly predictable events, have literally zero relevant results before they happen, so during the first few hours after the event almost any site with relevant information have good chances to rank high on Google. This short window when competition is quite light is all cyber-criminal need to have a steady traffic to their breaking new related doorway pages. Then, when every news site and blog add their 2 cents and there are plenty resources about those hot topics, only most reputable and most relevant web pages make it to the top of search results.

I decided to check the poisoned search results and here’s what I found:
Continue »»

Another Update on the osCommerce .htaccess Hack

18 Jan 11   Filed in Website exploits with 2 Comments

The osCommerce .htaccess hack that I wrote about here and here is still quite prevalent.

Some webmasters have problems locating the rogue .htaccess files so I decided to address this issue again.
Continue (some new facts included) »»