msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

More About the Rogue Image Blogs on Servage Network…

04 May 10   Filed in Website exploits with 2 Comments

This is the fifth article in the series about rogue blogs created by hackers inside legitimate websites of Servage clients. Millions of malicious web pages has seriously poisoned Google search results, redirecting visitors to scareware sites. You might want to read the previous posts first:

In this post, I’ll describe how the new generation of rogue blogs works.
Continue »»

Tweet Week: April 26 – May 2, 2010

02 May 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Reviews of security tools, web spam and poisoned Image search results »»

Hackers Abuse Servage Hosting to Poison Google Image Search

28 Apr 10   Filed in Website exploits with 5 Comments

Two weeks ago I blogged about serious security problems of Network Solutions‘ shared hosting service. This time I’ll turn to another big shared hosting provider – Servage.

It’s not the first time I write about Servage. Actually this will be the 4th article in the series about rogue blogs on Servage network. It all started in November when I wrote about malicious blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. In the second article, I showed the history of those rogue blogs (the first generation have dates in April of 2009) and how most of them (90%+) were found on Servage network. In the third article, I wrote about the internals of those rogue blogs and their malicious features.

A few days ago I found a new generation of rogue blogs on Servage network.
Here are the details …

Internals of Rogue Blogs

17 Mar 10   Filed in Website exploits with 4 Comments

Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.

Recently I’ve been contacted by one of Servage clients who found his sites hacked:

I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.

He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.
Continue »»

Tweet Week: Feb 15-21, 2010

21 Feb 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Gumblar zombies, StopBadware reports, WordPress updates … »»

Rogue blogs redirect search traffic to bogus AV sites. Part 2.

27 Nov 09   Filed in Website exploits with 5 Comments

This is the second part of the post about rogue blogs installed into subdirectories of hacked legitimate websites. The first part talked about how those blogs redirect search engine traffic to scareware sites. In this part I will talk about the whole black hat campaign, its evolution and its strange connection with Servage hosting provider.

Generations of rogue blogs

In the Cyveillance blog, they mentioned two types of rogue blogs with “bsblog” and “bmsblog” strings in the URLs. Having played with Google searches, I discovered some more versions:

So what do those strings mean? A quick analysis of the blogs’ content suggests that “blog“, “bmblog”, “bsblog“, “bmsblog” and “mdblog” strings in blog addresses correspond to different generations of this black hat campaign.
Here is the timeline »»