msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

What’s in your wp-head?

11 Jul 12   Filed in Website exploits with 6 Comments

I first came across this attack in late May of 2012. It had quite a recognizable and frequently updated type of malicious JavaScript code injected in the <head> section of WordPress blogs and iframe URLs generated by this script always ended with top2.html (now rem2.html)

It was a massive infection and many webmasters asked me to help them clean up their sites. I told them how to search for various pattern of malicious files and asked them to provide me with access logs and samples of the malicious code they found on their servers.

At first the hack looked quite mysterious:

  • Webmasters sent me many backdoor files but none of them contained the malicious code I saw in infected web pages.
  • In theme files, the <head> section didn’t contain any malicious code at all.
  • While access logs showed some successful TimThumb attacks, I didn’t see requests to backdoors that updated the malicious code injected into the <head> section (and that code somehow changed every day).
  • And the script injection was quite hard to track since it would usually disappear after the first check. You couldn’t tell whether webmasters really cleaned their sites up or the malware was simply hiding from you.

The mystery was solved when I got access to one of the infected sites.
Continue »»

/tmp/wp_inc or Not Your Typical WordPress Attack

09 Nov 11   Filed in Website exploits with 21 Comments

This post will provide a very detailed and rather technical description of the latest massive WordPress hack. I find it interesting in many ways. Mainly because it’s so atypical.

If you don’t have time to read the whole article, you can head directly to the short description of the attack and then to the Summary section where I talk about what’s new, strange and uncommon in this attack. Or if you are a webmaster of a hacked blog, go to the “To Webmasters” section – it will help you resolve the problem.
Continue »»

Tweet Week: August 22-28, 2011

29 Aug 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

TimThumb attacks, We Stop Badware Host program, blog scrapers, Apache DOS and workaround »»

Hackers target unpatched WooFramework

24 Aug 11   Filed in Short Attack Reviews with 9 Comments

When Michael VanDeMar mentioned the malicious “googlesafebrowsing .com” domain, I decided to check how exactly it was used in malware attacks. It’s quite a popular trick to mimic Google’s own domains to make malicious code look legitimate. I have a “collection” of several dozens on misspelled Google Analytics domains alone that were used for malware distribution. In this case, the domain name was made up rather than misspelled. It referres to Google’s Safe Browsing project and their diagnostic pages that actually use the google.com domain (as most other Google’s services).
Continue »»

Two Tweet Weeks: July 25 – August 7, 2011

08 Aug 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Crisis in Fake AV industry, story about incompetent security auditor, zero-day in WordPress themes, osCommerce hack, and many more »»

Hacked WordPress Blogs Poison Google Images

05 Aug 11   Filed in Website exploits with 12 Comments

After a series of posts about Google Image poisoning campaigns that used hot-linked images a main trick to get top positions in search results, I’d like to describe a different Google Image poisoning attack that affects WordPress blogs and uses self-hosted images.
Continue »»