Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Doorways on Non-default Ports — New Trend in Black Hat SEO?

03 Dec 10   Filed in Website exploits with 12 Comments

A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)

Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.
Continue »»

Update on Htaccess Redirects of osCommerce Sites

19 Nov 10   Filed in Short Attack Reviews with 7 Comments

This is just a short update on the .htaccess redirect attack that I wrote about last month.

I can still see many sites (mainly osCommerce-powered) that redirect search traffic to malicious sites. However, the pattern of the redirect URLs has changed.
continue »»

Htaccess Redirect to

14 Oct 10   Filed in Website exploits with 8 Comments

Having read the Sucuri’s article about the kirm-sky .ru attack, I decided to complement it with my own information.

I started to track this website infection back in April. It has been active all these months.
Continue »»

Hackers Abuse Servage Hosting to Poison Google Image Search

28 Apr 10   Filed in Website exploits with 5 Comments

Two weeks ago I blogged about serious security problems of Network Solutions‘ shared hosting service. This time I’ll turn to another big shared hosting provider – Servage.

It’s not the first time I write about Servage. Actually this will be the 4th article in the series about rogue blogs on Servage network. It all started in November when I wrote about malicious blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. In the second article, I showed the history of those rogue blogs (the first generation have dates in April of 2009) and how most of them (90%+) were found on Servage network. In the third article, I wrote about the internals of those rogue blogs and their malicious features.

A few days ago I found a new generation of rogue blogs on Servage network.
Here are the details …

Bety.php Hack. Part 2. Black Hats in Action.

26 Jan 10   Filed in Website exploits with 3 Comments

This is the second article about the hacker attack against osCommerce-powered sites. In the first part, you can find the description of the attack along with detection and clean-up instructions. Now I want to show you what exactly hackers did and how they managed to poison Google search results.

The main goal is to demystify hackers and encourage webmasters to explore their own sites. The more you know about hackers, the better you’ll be at protecting your site against their attacks.

This post is based on the files and access logs of three compromised sites that I received from a webmaster who contacted me a couple of weeks ago.

Quick facts

  1. The attack uses unpatched vulnerability in osCommerce 2.2 that allows an attacker to upload arbitrary files to compromised servers using a security hole in file_manager.php.
  2. Only one of the three sites actually uses osCommerse (site-1).The rest two sites had been hacked using access gained via the hacked site-1.

Chronicle of the attack »»

Rogue blogs redirect search traffic to bogus AV sites. Part 2.

27 Nov 09   Filed in Website exploits with 5 Comments

This is the second part of the post about rogue blogs installed into subdirectories of hacked legitimate websites. The first part talked about how those blogs redirect search engine traffic to scareware sites. In this part I will talk about the whole black hat campaign, its evolution and its strange connection with Servage hosting provider.

Generations of rogue blogs

In the Cyveillance blog, they mentioned two types of rogue blogs with “bsblog” and “bmsblog” strings in the URLs. Having played with Google searches, I discovered some more versions:

So what do those strings mean? A quick analysis of the blogs’ content suggests that “blog“, “bmblog”, “bsblog“, “bmsblog” and “mdblog” strings in blog addresses correspond to different generations of this black hat campaign.
Here is the timeline »»

Rogue blogs redirect search traffic to bogus AV sites. Part 1.

26 Nov 09   Filed in Website exploits with 8 Comments

As I tweeted a few days ago, I gathered a lot of interesting information about this case. So to make the post readable, I’ve broken it down into two parts. The first part is about how rogue blogs work, and the second part is about different generations of this black hat campaign and about the connection with Servage hosting provider.

A few days ago, I stumbled upon a great post where guys from Cyveillance blog wrote about a massive Google search results poisoning. Well worth reading.
Here is a brief summary of their post followed by my own findings »»

“Cheap Vista” or Cloaked Spam on High-Profile Sites

01 Oct 09   Filed in Website exploits with 12 Comments

In this post, I’ll show how cybercriminals used hacked high-profile sites to drive search traffic to online stores that sell pirated copies of popular software and, presumably, steal credit card details.

I’ve been watching this sort of search spam for more than a year now. And after this post in Google’s Webmaster Help forum, I decided to take a closer look at this this problem.
Continue »»

Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.

23 Jul 09   Filed in Website exploits with 85 Comments

I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.

I discovered this attack when checked Unmask Parasites logs. I noticed that many unrelated websites contained the same suspicious script so I decided to investigate this issue. The investigation is not complete yet but I think the information I’ve already collected will be useful for owners of compromised web sites. And I hope the missing parts will be added by you, the readers. Update ( July 27, 2009) : the comments are really very informative. make sure to read them.
Continue »»

Using Wget to Detect Hijacked Search Engine Traffic

07 Apr 09   Filed in Tips and Tricks with Comments Off on Using Wget to Detect Hijacked Search Engine Traffic

Some time ago I had a series of post about the .htaccess exploit that redirected search engine traffic to bogus Antivirus sites.

This sort of exploit is still very wide-spread. Many site owners wonder why Google blacklists their sites when their web pages are absolutely benign and sites mentioned on Google’s Safe Browsing Diagnostic pages have absolutely nothing to do with their site’s content.

Here is an excerpt from a typical Safe Browsing Diagnostic page for an affected site:

Malicious software is hosted on 5 domain(s), including best-antimalware-pro-scan .com/, fastantimalwareproscanner .com/, fullantispywareproscan .com/.

4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including module-antispyware .info/, securedradiostation .cn/, great-antispyware .info/.

When I see multiple antivirus-related domain names in the diagnostics, I almost sure the site has a hacked .htaccess file that redirects search engine traffic to scam sites. Still I need to verify my guess.
Continue »»