Comments on: Revenge of Gumblar Zombies

By: How to remove IFRAME Virus and Malware found Warning from websites | TRUSTMEHER

Sun, 31 Oct 2010 06:47:20 +0000

[...] How to REMOVE Exploits [...]

By: Chris

Chris — Tue, 11 May 2010 21:14:15 +0000

Thank you for the excellent summary… I would like to add that where possible, an IP whitelist for FTP access seems like it will effectively prevent this (or stop it from happening again once a site is truly clean, no backdoors etc).

With a compatible FTP daemon, simply placing one simple .ftpaccess file in the root directory will do the trick:

(Limit ALL)
DenyAll
Allow w.x.y.z
Allow a.b.c.d
(/Limit)

*Replace ( and ) with less than/greater than symbols. Add as many IPs as you need to whitelist, or as few as one.

In this way, even if the virus has obtained the FTP username and password, it cannot log in unless from an IP on the whitelist.

I suppose the botnet could learn to spoof IP’s, but this is really just a case of making your site NOT be the “low-hanging fruit”.

Hope that helps someone…

By: Soviet

Soviet — Tue, 23 Mar 2010 17:20:59 +0000

This is an excellent write up to a topic that most Joomla administrators could not help me with. I am very very grateful!

By: acop

acop — Thu, 11 Mar 2010 08:52:55 +0000

You can use following tools to remove the injection code:
Windows – FART
1. download from hxxp://sourceforge.net/projects/fart-it/
2. run following command:
fart -r -i -C –remove C:\path_to_file\* “”

Linux – sed command
1. Use following command:
sed -i ‘/injected_code/d’ /path/to/file.htm

By: Amin Ch

Amin Ch — Sat, 20 Feb 2010 19:17:37 +0000

Please send also your program to amin.cheng @ gmail.com Thanks.

By: Inside Gumblar: Looking for the trigger | Fortinet FortiGuard Blog

Inside Gumblar: Looking for the trigger | Fortinet FortiGuard Blog — Tue, 19 Jan 2010 18:51:51 +0000

[...] addressing its Javascript obfuscation, the affected domains and its C&C communication[2][3][4]. However, scarce detail is available about the very vulnerabilities and exploits leveraged by [...]

By: Christopher Parker

Christopher Parker — Wed, 13 Jan 2010 20:13:11 +0000

I had backups of my website which seems to have taken care of the problem, but own laptop seems to still be compromised and I think I’m going to have to format it – I’ve been using AVG and Malware Bytes over and over and it’s fine until I re-enable the internet connection and promptly something downloads new trojan software and the google redirects resume. Something, somewhere, is persistent – but what?

By: Greg Rogers

Greg Rogers — Mon, 28 Dec 2009 21:52:32 +0000

Your blog – report on Gumblar helped me to understand what is going on..

My site with 1000’s of pages was ruined…

I have found that they got the ftp and went through one by one putting code into every joomla site…

Someone calling himself Alex used the contact for of each one sending this message

Very Nice Site ! Is this yours too”

There seems to have been an intrusion in July and it resumed in late December 23 approx

Here is the code that they place on every joomla site…

It shows up in the database in 10 location

user
sessionplugin
modules
acl ora section
acl ora groups
acl ora something else
contact detail
components ( 17 locations )
categories

Here is the code that they use

I have been banned from Google News as a result of this..

I can see no cure as the code is too deep in the database..

CODE FOLLOWS BEWARE

SELECT *
FROM `que0927708391162`.`jos_core_acl_aro_sections`
WHERE (
`id` LIKE ‘%”Female%’
OR `value` LIKE ‘%”Female%’
OR `order_value` LIKE ‘%”Female%’
OR `name` LIKE ‘%”Female%’
OR `hidden` LIKE ‘%”Female%’
)
OR (
`id` LIKE ‘%use%’
OR `value` LIKE ‘%use%’
OR `order_value` LIKE ‘%use%’
OR `name` LIKE ‘%use%’
OR `hidden` LIKE ‘%use%’
)
OR (
`id` LIKE ‘%of%’
OR `value` LIKE ‘%of%’
OR `order_value` LIKE ‘%of%’
OR `name` LIKE ‘%of%’
OR `hidden` LIKE ‘%of%’
)
OR (
`id` LIKE ‘%viagra”%’
OR `value` LIKE ‘%viagra”%’
OR `order_value` LIKE ‘%viagra”%’
OR `name` LIKE ‘%viagra”%’
OR `hidden` LIKE ‘%viagra”%’
)
LIMIT 0 , 30

DELETE FROM `que0927708391162`.`jos_categories` WHERE (`id` LIKE ‘%”Female%’ OR `parent_id` LIKE ‘%”Female%’ OR `title` LIKE ‘%”Female%’ OR `name` LIKE ‘%”Female%’ OR `alias` LIKE ‘%”Female%’ OR `image` LIKE ‘%”Female%’ OR `section` LIKE ‘%”Female%’ OR `image_position` LIKE ‘%”Female%’ OR `description` LIKE ‘%”Female%’ OR `published` LIKE ‘%”Female%’ OR `checked_out` LIKE ‘%”Female%’ OR `checked_out_time` LIKE ‘%”Female%’ OR `editor` LIKE ‘%”Female%’ OR `ordering` LIKE ‘%”Female%’ OR `access` LIKE ‘%”Female%’ OR `count` LIKE ‘%”Female%’ OR `params` LIKE ‘%”Female%’) OR (`id` LIKE ‘%use%’ OR `parent_id` LIKE ‘%use%’ OR `title` LIKE ‘%use%’ OR `name` LIKE ‘%use%’ OR `alias` LIKE ‘%use%’ OR `image` LIKE ‘%use%’ OR `section` LIKE ‘%use%’ OR `image_position` LIKE ‘%use%’ OR `description` LIKE ‘%use%’ OR `published` LIKE ‘%use%’ OR `checked_out` LIKE ‘%use%’ OR `checked_out_time` LIKE ‘%use%’ OR `editor` LIKE ‘%use%’ OR `ordering` LIKE ‘%use%’ OR `access` LIKE ‘%use%’ OR `count` LIKE ‘%use%’ OR `params` LIKE ‘%use%’) OR (`id` LIKE ‘%of%’ OR `parent_id` LIKE ‘%of%’ OR `title` LIKE ‘%of%’ OR `name` LIKE ‘%of%’ OR `alias` LIKE ‘%of%’ OR `image` LIKE ‘%of%’ OR `section` LIKE ‘%of%’ OR `image_position` LIKE ‘%of%’ OR `description` LIKE ‘%of%’ OR `published` LIKE ‘%of%’ OR `checked_out` LIKE ‘%of%’ OR `checked_out_time` LIKE ‘%of%’ OR `editor` LIKE ‘%of%’ OR `ordering` LIKE ‘%of%’ OR `access` LIKE ‘%of%’ OR `count` LIKE ‘%of%’ OR `params` LIKE ‘%of%’) OR (`id` LIKE ‘%viagra”%’ OR `parent_id` LIKE ‘%viagra”%’ OR `title` LIKE ‘%viagra”%’ OR `name` LIKE ‘%viagra”%’ OR `alias` LIKE ‘%viagra”%’ OR `image` LIKE ‘%viagra”%’ OR `section` LIKE ‘%viagra”%’ OR `image_position` LIKE ‘%viagra”%’ OR `description` LIKE ‘%viagra”%’ OR `published` LIKE ‘%viagra”%’ OR `checked_out` LIKE ‘%viagra”%’ OR `checked_out_time` LIKE ‘%viagra”%’ OR `editor` LIKE ‘%viagra”%’ OR `ordering` LIKE ‘%viagra”%’ OR `access` LIKE ‘%viagra”%’ OR `count` LIKE ‘%viagra”%’ OR `params` LIKE ‘%viagra”%’)

By: Giuseppe Ridinò (aka Pepecito)

Giuseppe Ridinò (aka Pepecito) — Fri, 18 Dec 2009 16:27:47 +0000

I faced with this issue. The file with the eval code was the index.php of my joomla default RHUK Milkyway template.
In addiction to this I found that the password of the admin user was changed, together with its email.

Thanks you very much for this valuable article.
Best regards from Italy!!!

By: Pato

Pato — Sat, 12 Dec 2009 00:01:36 +0000

Very interesting article!!
I´ve one client site´s with this malicious script (the one that end with billeterie.php) and still can´t clean it out. its a pain in the ass!
And get worst, since there isn´t a clean copy of the site, so the only thing to try (keep trying) is the manually remove.

Thanks for taking the time to help us with this helpfull guide!

Regards from argentina.