msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

What’s in your wp-head?

11 Jul 12   Filed in Website exploits with 6 Comments

I first came across this attack in late May of 2012. It had quite a recognizable and frequently updated type of malicious JavaScript code injected in the <head> section of WordPress blogs and iframe URLs generated by this script always ended with top2.html (now rem2.html)

It was a massive infection and many webmasters asked me to help them clean up their sites. I told them how to search for various pattern of malicious files and asked them to provide me with access logs and samples of the malicious code they found on their servers.

At first the hack looked quite mysterious:

  • Webmasters sent me many backdoor files but none of them contained the malicious code I saw in infected web pages.
  • In theme files, the <head> section didn’t contain any malicious code at all.
  • While access logs showed some successful TimThumb attacks, I didn’t see requests to backdoors that updated the malicious code injected into the <head> section (and that code somehow changed every day).
  • And the script injection was quite hard to track since it would usually disappear after the first check. You couldn’t tell whether webmasters really cleaned their sites up or the malware was simply hiding from you.

The mystery was solved when I got access to one of the infected sites.
Continue »»

Careless Webmasters as WordPress Hosting Providers for Spammers

18 May 12   Filed in Website exploits with 8 Comments

Foks, a frequent contributer to my investigations, recently pointed me at an interesting black hat SEO campaign where thousands of hacked WordPress blogs and Joomla sites were used to create doorways promoting online stores selling various “slimming pills” and fake luxury goods.

doorway blogs

During the last few years I saw many attacks where cyber criminals created large spammy sites in subdirectories of hacked legitimate sites. It’s an easy way to create millions of doorway pages on thousands of established domains with good reputation for free (owners of hacked sites pay for hosting, bandwidth and domains) — typical parasitic behavior. Webmasters normally only visit pages they created themselves and rarely check what happens in subdirectories so they may not notice spammy sections for months. Sometimes such sections may be significantly larger than legitimate sections of hacked websites and attract much more search traffic.

The back end of such rogue sections is usually some doorway generating script along with rewrite rules in .htaccess or a simple blogging engine like FlatPress that doesn’t require a database. The only requirement of such solutions is PHP so they will work on most websites.

However this time spammers chose WordPress as a back end for their doorways. After all, if they hack a WordPress blog, the server is guranteed to be compatible with WordPress and all they need to do to install a new instance is get MySQL password from existing wp-config.php and chose a different table prefix for their WordPress database.
Here’s how the attack works »»

Malware Piggybacks on Automatic WordPress Updates

02 May 12   Filed in Website exploits with 5 Comments

Most WordPress bloggers know the “Always keep your WordPress blog up-to-date” mantra. To make upgrades painless, WordPress developers introduced the “Automatic Update” features in version 2.7. A blog admin only needs to visit the “Update WordPress” page (Tools -> Update) and click on the “Update Automatically” button. That’s it! Easy!

Sometimes I see how webmasters misinterpret the importance of upgrades for WordPress security. They expect that if they upgrade a hacked blog, it will immediately become clean and secure. Unfortunately it doesn’t work this way. Upgrades can only clean core WordPress files, leaving backdoors, infected themes, plugins and database records intact. That’s why it is important to clean up your site before the upgrade.

Moreover, a few days ago I came across a new massive infection (more than 1,000 currently known infected blogs) that hijacks the “Automatic Update” feature and makes it the event that triggers blog re-infection.
Continue »»

You Need to Pay For This Crypt. Trial Version of Malware?

07 Mar 12   Filed in Website exploits with 5 Comments

According to the Betteridge’s Law of HeadlinesAny headline which ends in a question mark can be answered by the word ‘no’“. Nonetheless, I use this type of a headline for this post because this was the question I asked myself when I came across the following attack.
Continue »»

Weak Passwords and Tainted WordPress Widgets

01 Mar 12   Filed in Website exploits with 4 Comments

A few days ago I investigated a hack where the following script was injected into web pages:

<sc ript src="hxxp://www .copytech .lu/js/java.js"></script>

The script was at the very top of the HTML code and in the middle of the page. It was a WordPress site so I suggested to check the index.php and theme files for the malicious code.

The topmost script was indeed in the theme’s index.php file. But theme files didn’t contain the script that I found in the middle of web pages’ HTML code.
Continue »»

Selected Tweets (Oct-Nov 2011)

21 Nov 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

It has been a while since the last Tweet Week. The main reason is I don’t tweet that often now to post my tweets every week and I don’t want to post old news here either.

So what happened? The answer is I can’t get used to Twitter web interface – it is so inconvenient. I had to use it when I had some strange problems with my Twitter client (twhirl). Thank’s god, I’ve finally made my twhirl work so I hope I will be able to tweet more often.

Anyway, here are some of the latest tweets.
Continue »»

/tmp/wp_inc or Not Your Typical WordPress Attack

09 Nov 11   Filed in Website exploits with 21 Comments

This post will provide a very detailed and rather technical description of the latest massive WordPress hack. I find it interesting in many ways. Mainly because it’s so atypical.

If you don’t have time to read the whole article, you can head directly to the short description of the attack and then to the Summary section where I talk about what’s new, strange and uncommon in this attack. Or if you are a webmaster of a hacked blog, go to the “To Webmasters” section – it will help you resolve the problem.
Continue »»

Tweet Week: August 22-28, 2011

29 Aug 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

TimThumb attacks, We Stop Badware Host program, blog scrapers, Apache DOS and workaround »»

Hackers target unpatched WooFramework

24 Aug 11   Filed in Short Attack Reviews with 9 Comments

When Michael VanDeMar mentioned the malicious “googlesafebrowsing .com” domain, I decided to check how exactly it was used in malware attacks. It’s quite a popular trick to mimic Google’s own domains to make malicious code look legitimate. I have a “collection” of several dozens on misspelled Google Analytics domains alone that were used for malware distribution. In this case, the domain name was made up rather than misspelled. It referres to Google’s Safe Browsing project and their diagnostic pages that actually use the google.com domain (as most other Google’s services).
Continue »»

Two Tweet Weeks: August 8-21, 2011

22 Aug 11   Filed in Tweet Week with 1 Comment

Selected short messages and links you might have missed if you don’t follow me on Twitter.

TimThumb attacks, program for responsible hosting providers, analyses of black hat SEO campaigns, osCommerce tips, 4 years of Safe Browsing data »»