Gumblar Attacks

Gumblar Attacks - Malicous code inserted into your webpages

This is most likely coming from your computer or from anybody you provide ftp access to your hosting account. This means even if the exploit is cleaned up the moment you connect to your hosting account again you may insert the code back into your website pages.

Removal

  1. Most likely this exploit is caused by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people have reported good results with Malwarebytes.
  2. Change FTP passwords (From a clean computer)
  3. Try not to store passwords inside programs that you use to upload files to your hosting account.
  4. Whenever possible use secure connections e.g. use SFTP instead of plain FTP. Request access to this from us.
  5. Finally, remove the malicious code from all server files (.html, .php, .js, etc.). The easiest way to do this is replace them with clean files from a backup.


What is a Gumblar Attack?
FTP logs of the infected websites indicate that the machines of the customers who own those domains are compromised and have been used to upload malicious content to their respective hosting packages.

Gumblar appears to be a combination of exploit scripts and malware. The scripts are embedded in .html, .js and .php files using obfuscated Javascript. They load malware content from third party sites without the user's knowledge. It also steals FTP credentials from the victim's computer, which allows it to spread and infect additional sites. Therefore, when someone visits an infected site they get infected and if they have FTP credentials for a website on their machine then those sites will get infected too. This explains the exponential growth of the exploit in such a short space of time.

What makes it different from previous malware exploits?
There are a number of aspects to this exploit that both make it difficult to remove and help it spread. Firstly, it is infecting users who are browsing legitimate websites, if these users are webmasters then it is infecting their websites by using their FTP credentials to inject the script onto their site. The obfuscated malicious code is dynamically generated. This makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site but it can also vary from page to page on the one site.

Further Reading
http://tinyurl.com/m23ncu
http://news.cnet.com/8301-1009_3-10244529-83.html

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Do I need a SSL Certificate?

If you are creating a web-based form where you want the visitor to enter data and submit the form...