We recently are doing research working papers on the web-virus and come to this wiki and this article which we found is useful for all users who would like to know more about how a website is infected due to the virus in your own computer. This virus is called 'Gumblar.cn'. The basic logic of the virus is to 'steal' the login credentials of your ftp and log in to the ftp server, inject the index files like 'index.php', 'default.php' or all php files with base64 decoded codes, so your website is infected and silently force a download of the virus to the client's computer when they access your website. Here we write down the summaries the author's findings:
1 Infected web pages contain a script that looks like this
2 Every infected site has it’s own modification of the script. However every modification has common parts and can be easily identified as the gumblar .cn script.
3 When the script is executed (every time someone visits the infected web page), another script from “gumblar . cn/rss/” is silently loaded and executed.
4 This code is usually injected right before the <body> tag. I saw a web page with eight(!) <body> tags (yeah, invalid HTML) and the gumblar scripts were injected before each of them.
5 Sometimes I encounter this script on sites infected with the malicious iframes that I reviewed in my recent posts. So this exploit may use the same infection technique. And probably the same clean up steps may be applied.
6 Unlike the recent iframe exploits, where the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.) this gumblar script is injected into every web page.
7 This script is also injected into .js (JavaScript) files. Usually at the very bottom.
8 Maybe it’s just a coincidence but about 95% of the infected sites used PHP. It is not possible to say for sure if the rest sites used PHP. Who knows.
9 This exploit doesn’t use some particular script vulnerability. I encountered it on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites.
10 Some people reported that the following code is injected into PHP files:
The base64-encoded part is this gumblar .cn script.
This PHP code, it’s structure and variable names are the same as in the infamous fake Yahoo counter exploit. Only the injected javascript is different. Maybe it was created by the same people, or maybe just the same exploitation kit was used.
11 This is not a server-wide exploit. I checked several servers with infected sites. Most of the neighbor sites were clean.
12 Gumblar .cn domain is currently blacklisted by Google.
Removal
Most likely this exploit is caused by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people reported good results with Malwarebytes.
Then (from a clean computer) change FTP passwords.
Try not to store them inside programs that you use to upload files to a server.
Whenever possible use secure connections. I.e. use SFTP instead of plain FTP. Many shared hosting plans include SFTP.
Finally, remove the malicious code from all server files (.html, .php, .js, etc.). The easiest way to do it, is replace them with clean files from a backup.
