Comments on: Revenge of Gumblar Zombies http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/ Website insecurity by example Thu, 04 Mar 2010 20:24:35 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Amin Ch http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6780 Amin Ch Sat, 20 Feb 2010 19:17:37 +0000 http://blog.unmaskparasites.com/?p=350#comment-6780 Please send also your program to amin.cheng @ gmail.com Thanks. Please send also your program to amin.cheng @ gmail.com Thanks.

]]> By: Inside Gumblar: Looking for the trigger | Fortinet FortiGuard Blog http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6635 Inside Gumblar: Looking for the trigger | Fortinet FortiGuard Blog Tue, 19 Jan 2010 18:51:51 +0000 http://blog.unmaskparasites.com/?p=350#comment-6635 [...] addressing its Javascript obfuscation, the affected domains and its C&C communication[2][3][4]. However, scarce detail is available about the very vulnerabilities and exploits leveraged by [...] [...] addressing its Javascript obfuscation, the affected domains and its C&C communication[2][3][4]. However, scarce detail is available about the very vulnerabilities and exploits leveraged by [...]

]]> By: Christopher Parker http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6593 Christopher Parker Wed, 13 Jan 2010 20:13:11 +0000 http://blog.unmaskparasites.com/?p=350#comment-6593 I had backups of my website which seems to have taken care of the problem, but own laptop seems to still be compromised and I think I'm going to have to format it - I've been using AVG and Malware Bytes over and over and it's fine until I re-enable the internet connection and promptly something downloads new trojan software and the google redirects resume. Something, somewhere, is persistent - but what? I had backups of my website which seems to have taken care of the problem, but own laptop seems to still be compromised and I think I’m going to have to format it – I’ve been using AVG and Malware Bytes over and over and it’s fine until I re-enable the internet connection and promptly something downloads new trojan software and the google redirects resume. Something, somewhere, is persistent – but what?

]]> By: Greg Rogers http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6427 Greg Rogers Mon, 28 Dec 2009 21:52:32 +0000 http://blog.unmaskparasites.com/?p=350#comment-6427 Hi Your blog - report on Gumblar helped me to understand what is going on.. My site with 1000's of pages was ruined... I have found that they got the ftp and went through one by one putting code into every joomla site... Someone calling himself Alex used the contact for of each one sending this message Very Nice Site ! Is this yours too" There seems to have been an intrusion in July and it resumed in late December 23 approx Here is the code that they place on every joomla site... It shows up in the database in 10 location user sessionplugin modules acl ora section acl ora groups acl ora something else contact detail components ( 17 locations ) categories Here is the code that they use I have been banned from Google News as a result of this.. I can see no cure as the code is too deep in the database.. CODE FOLLOWS BEWARE SELECT * FROM `que0927708391162`.`jos_core_acl_aro_sections` WHERE ( `id` LIKE '%"Female%' OR `value` LIKE '%"Female%' OR `order_value` LIKE '%"Female%' OR `name` LIKE '%"Female%' OR `hidden` LIKE '%"Female%' ) OR ( `id` LIKE '%use%' OR `value` LIKE '%use%' OR `order_value` LIKE '%use%' OR `name` LIKE '%use%' OR `hidden` LIKE '%use%' ) OR ( `id` LIKE '%of%' OR `value` LIKE '%of%' OR `order_value` LIKE '%of%' OR `name` LIKE '%of%' OR `hidden` LIKE '%of%' ) OR ( `id` LIKE '%viagra"%' OR `value` LIKE '%viagra"%' OR `order_value` LIKE '%viagra"%' OR `name` LIKE '%viagra"%' OR `hidden` LIKE '%viagra"%' ) LIMIT 0 , 30 DELETE FROM `que0927708391162`.`jos_categories` WHERE (`id` LIKE '%"Female%' OR `parent_id` LIKE '%"Female%' OR `title` LIKE '%"Female%' OR `name` LIKE '%"Female%' OR `alias` LIKE '%"Female%' OR `image` LIKE '%"Female%' OR `section` LIKE '%"Female%' OR `image_position` LIKE '%"Female%' OR `description` LIKE '%"Female%' OR `published` LIKE '%"Female%' OR `checked_out` LIKE '%"Female%' OR `checked_out_time` LIKE '%"Female%' OR `editor` LIKE '%"Female%' OR `ordering` LIKE '%"Female%' OR `access` LIKE '%"Female%' OR `count` LIKE '%"Female%' OR `params` LIKE '%"Female%') OR (`id` LIKE '%use%' OR `parent_id` LIKE '%use%' OR `title` LIKE '%use%' OR `name` LIKE '%use%' OR `alias` LIKE '%use%' OR `image` LIKE '%use%' OR `section` LIKE '%use%' OR `image_position` LIKE '%use%' OR `description` LIKE '%use%' OR `published` LIKE '%use%' OR `checked_out` LIKE '%use%' OR `checked_out_time` LIKE '%use%' OR `editor` LIKE '%use%' OR `ordering` LIKE '%use%' OR `access` LIKE '%use%' OR `count` LIKE '%use%' OR `params` LIKE '%use%') OR (`id` LIKE '%of%' OR `parent_id` LIKE '%of%' OR `title` LIKE '%of%' OR `name` LIKE '%of%' OR `alias` LIKE '%of%' OR `image` LIKE '%of%' OR `section` LIKE '%of%' OR `image_position` LIKE '%of%' OR `description` LIKE '%of%' OR `published` LIKE '%of%' OR `checked_out` LIKE '%of%' OR `checked_out_time` LIKE '%of%' OR `editor` LIKE '%of%' OR `ordering` LIKE '%of%' OR `access` LIKE '%of%' OR `count` LIKE '%of%' OR `params` LIKE '%of%') OR (`id` LIKE '%viagra"%' OR `parent_id` LIKE '%viagra"%' OR `title` LIKE '%viagra"%' OR `name` LIKE '%viagra"%' OR `alias` LIKE '%viagra"%' OR `image` LIKE '%viagra"%' OR `section` LIKE '%viagra"%' OR `image_position` LIKE '%viagra"%' OR `description` LIKE '%viagra"%' OR `published` LIKE '%viagra"%' OR `checked_out` LIKE '%viagra"%' OR `checked_out_time` LIKE '%viagra"%' OR `editor` LIKE '%viagra"%' OR `ordering` LIKE '%viagra"%' OR `access` LIKE '%viagra"%' OR `count` LIKE '%viagra"%' OR `params` LIKE '%viagra"%') Hi

Your blog – report on Gumblar helped me to understand what is going on..

My site with 1000’s of pages was ruined…

I have found that they got the ftp and went through one by one putting code into every joomla site…

Someone calling himself Alex used the contact for of each one sending this message

Very Nice Site ! Is this yours too”

There seems to have been an intrusion in July and it resumed in late December 23 approx

Here is the code that they place on every joomla site…

It shows up in the database in 10 location

user
sessionplugin
modules
acl ora section
acl ora groups
acl ora something else
contact detail
components ( 17 locations )
categories

Here is the code that they use

I have been banned from Google News as a result of this..

I can see no cure as the code is too deep in the database..

CODE FOLLOWS BEWARE

SELECT *
FROM `que0927708391162`.`jos_core_acl_aro_sections`
WHERE (
`id` LIKE ‘%”Female%’
OR `value` LIKE ‘%”Female%’
OR `order_value` LIKE ‘%”Female%’
OR `name` LIKE ‘%”Female%’
OR `hidden` LIKE ‘%”Female%’
)
OR (
`id` LIKE ‘%use%’
OR `value` LIKE ‘%use%’
OR `order_value` LIKE ‘%use%’
OR `name` LIKE ‘%use%’
OR `hidden` LIKE ‘%use%’
)
OR (
`id` LIKE ‘%of%’
OR `value` LIKE ‘%of%’
OR `order_value` LIKE ‘%of%’
OR `name` LIKE ‘%of%’
OR `hidden` LIKE ‘%of%’
)
OR (
`id` LIKE ‘%viagra”%’
OR `value` LIKE ‘%viagra”%’
OR `order_value` LIKE ‘%viagra”%’
OR `name` LIKE ‘%viagra”%’
OR `hidden` LIKE ‘%viagra”%’
)
LIMIT 0 , 30

DELETE FROM `que0927708391162`.`jos_categories` WHERE (`id` LIKE ‘%”Female%’ OR `parent_id` LIKE ‘%”Female%’ OR `title` LIKE ‘%”Female%’ OR `name` LIKE ‘%”Female%’ OR `alias` LIKE ‘%”Female%’ OR `image` LIKE ‘%”Female%’ OR `section` LIKE ‘%”Female%’ OR `image_position` LIKE ‘%”Female%’ OR `description` LIKE ‘%”Female%’ OR `published` LIKE ‘%”Female%’ OR `checked_out` LIKE ‘%”Female%’ OR `checked_out_time` LIKE ‘%”Female%’ OR `editor` LIKE ‘%”Female%’ OR `ordering` LIKE ‘%”Female%’ OR `access` LIKE ‘%”Female%’ OR `count` LIKE ‘%”Female%’ OR `params` LIKE ‘%”Female%’) OR (`id` LIKE ‘%use%’ OR `parent_id` LIKE ‘%use%’ OR `title` LIKE ‘%use%’ OR `name` LIKE ‘%use%’ OR `alias` LIKE ‘%use%’ OR `image` LIKE ‘%use%’ OR `section` LIKE ‘%use%’ OR `image_position` LIKE ‘%use%’ OR `description` LIKE ‘%use%’ OR `published` LIKE ‘%use%’ OR `checked_out` LIKE ‘%use%’ OR `checked_out_time` LIKE ‘%use%’ OR `editor` LIKE ‘%use%’ OR `ordering` LIKE ‘%use%’ OR `access` LIKE ‘%use%’ OR `count` LIKE ‘%use%’ OR `params` LIKE ‘%use%’) OR (`id` LIKE ‘%of%’ OR `parent_id` LIKE ‘%of%’ OR `title` LIKE ‘%of%’ OR `name` LIKE ‘%of%’ OR `alias` LIKE ‘%of%’ OR `image` LIKE ‘%of%’ OR `section` LIKE ‘%of%’ OR `image_position` LIKE ‘%of%’ OR `description` LIKE ‘%of%’ OR `published` LIKE ‘%of%’ OR `checked_out` LIKE ‘%of%’ OR `checked_out_time` LIKE ‘%of%’ OR `editor` LIKE ‘%of%’ OR `ordering` LIKE ‘%of%’ OR `access` LIKE ‘%of%’ OR `count` LIKE ‘%of%’ OR `params` LIKE ‘%of%’) OR (`id` LIKE ‘%viagra”%’ OR `parent_id` LIKE ‘%viagra”%’ OR `title` LIKE ‘%viagra”%’ OR `name` LIKE ‘%viagra”%’ OR `alias` LIKE ‘%viagra”%’ OR `image` LIKE ‘%viagra”%’ OR `section` LIKE ‘%viagra”%’ OR `image_position` LIKE ‘%viagra”%’ OR `description` LIKE ‘%viagra”%’ OR `published` LIKE ‘%viagra”%’ OR `checked_out` LIKE ‘%viagra”%’ OR `checked_out_time` LIKE ‘%viagra”%’ OR `editor` LIKE ‘%viagra”%’ OR `ordering` LIKE ‘%viagra”%’ OR `access` LIKE ‘%viagra”%’ OR `count` LIKE ‘%viagra”%’ OR `params` LIKE ‘%viagra”%’)

]]> By: Giuseppe Ridinò (aka Pepecito) http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6289 Giuseppe Ridinò (aka Pepecito) Fri, 18 Dec 2009 16:27:47 +0000 http://blog.unmaskparasites.com/?p=350#comment-6289 I faced with this issue. The file with the eval code was the index.php of my joomla default RHUK Milkyway template. In addiction to this I found that the password of the admin user was changed, together with its email. Thanks you very much for this valuable article. Best regards from Italy!!! I faced with this issue. The file with the eval code was the index.php of my joomla default RHUK Milkyway template.
In addiction to this I found that the password of the admin user was changed, together with its email.

Thanks you very much for this valuable article.
Best regards from Italy!!!

]]> By: Pato http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6189 Pato Sat, 12 Dec 2009 00:01:36 +0000 http://blog.unmaskparasites.com/?p=350#comment-6189 <strong>Very interesting article!!</strong> I´ve one client site´s with this malicious script (the one that end with billeterie.php) and still can´t clean it out. its a pain in the ass! And get worst, since there isn´t a clean copy of the site, so the only thing to try (keep trying) is the manually remove. Thanks for taking the time to help us with this helpfull guide! Regards from argentina. Very interesting article!!
I´ve one client site´s with this malicious script (the one that end with billeterie.php) and still can´t clean it out. its a pain in the ass!
And get worst, since there isn´t a clean copy of the site, so the only thing to try (keep trying) is the manually remove.

Thanks for taking the time to help us with this helpfull guide!

Regards from argentina.

]]> By: Tom http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6151 Tom Wed, 09 Dec 2009 18:30:37 +0000 http://blog.unmaskparasites.com/?p=350#comment-6151 A few of my site had this issue just yesterday. They are using robots.php as well. A few of my site had this issue just yesterday.

They are using robots.php as well.

]]> By: Denis http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6026 Denis Wed, 02 Dec 2009 01:09:47 +0000 http://blog.unmaskparasites.com/?p=350#comment-6026 Thanks Josh. I had to remove the link to your site from your signature since your site is still infected. This time link to "<em>uznai-pravdu-ru.1gb .ru/ includes/style.php</em>" Make sure you followed my <a href="#removal" rel="nofollow">removal instructions</a> Thanks Josh.

I had to remove the link to your site from your signature since your site is still infected.

This time link to “uznai-pravdu-ru.1gb .ru/ includes/style.php

Make sure you followed my removal instructions

]]> By: Josh http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6024 Josh Tue, 01 Dec 2009 21:00:23 +0000 http://blog.unmaskparasites.com/?p=350#comment-6024 Sorry: JS: vgallery.extra .hu/ categories/style.php case.writeup .co.jp/ images/a5hd/img-osouji.php koltaiandor.extra .hu/ portre/nyito_right.php HTML: koltaiandor.extra .hu/ portre/nyito_right.php Sorry:

JS:
vgallery.extra .hu/ categories/style.php
case.writeup .co.jp/ images/a5hd/img-osouji.php
koltaiandor.extra .hu/ portre/nyito_right.php

HTML:
koltaiandor.extra .hu/ portre/nyito_right.php

]]> By: streetsurfer http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/comment-page-1/#comment-6009 streetsurfer Tue, 01 Dec 2009 00:13:16 +0000 http://blog.unmaskparasites.com/?p=350#comment-6009 We have found 2 new backdoor scripts = it looks like they are not just using gifimg.php and image.php anymore: beauty-shop-color.php VideoPlaylist.php just contained the eval backdoor... these files were not found on original backups prior to the attack date of Nov 11 2009 We have found 2 new backdoor scripts = it looks like they are not just using gifimg.php and image.php anymore:

beauty-shop-color.php
VideoPlaylist.php

just contained the eval backdoor… these files were not found on original backups prior to the attack date of Nov 11 2009

]]>