msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Gumblar Breaks WordPress blogs and other complex PHP sites

   04 Nov 09   Filed in Website exploits

Not only iframe infections can corrupt websites. It appears that the current version of Gumbar effectively breaks WordPress blogs.

Here’s the story

On various forums, you can find posts where webmasters report similar problems with their WordPress blogs. Their sites are broken and all they can see is error messages that look like this:

Fatal error: Cannot redeclare xfm() (previously declared in /path/to/site/index.php(1) : eval()'d code:1)
in /path/to/site/wp-config.php(1) : eval()'d code on line 1

The following Google search: “previously declared in” “index.php” “wp-config.php” eval code can reveal the scale of the problem . It returns 58,600 results, most of which are either hacked WordPress blogs or forum posts about hacked WordPress blogs.

The error says that some function with meaningless name (in this case xfm, but it changes from site to site e.g. q1dj, oh0e, jjyrv, gba, etc.) was redeclared in wp-config.php in code passed to an eval() function. Previously a function with the same name was declared in index.php, again in code passed to an eval() function.

Needless to say that standard WordPress files index.php and wp-config.php don’t contain any eval() functions. This means that some alien, presumably malicious, content was injected into the files.

The error message doesn’t provide much information to work with for external observers, so I asked Michael Karr (Hostgator Network Security) if he knew anything about the errors. He did know. It was Gumblar.

Buggy backdoor script

Here’s what happened. As you know from my previous posts, Gumblar injects encrypted PHP code at the very top of various .php files (I shorten the encrypted part)

<?php eval(base64_decode('aWYoIWlzc2V0KCRueW5oe...J10pKTs=')); ?>

It uses the PHP eval() function to execute encoded PHP code, which tries to inject malicious JavaScripts into other files. The beginning of the deobfuscated PHP code looks like this:

if ( !isset($zsmh1) ){
function zsmh($s){
...

You can see a declaration of a function with meaningless name zsmh (the name of this function changes from site to site).

WordPress is a complex web application that comprises more than 200 .php files. When you open any page, WordPress loads index.php which, in turn, loads many other .php files using the require() function. WordPress admin interface also relies on multiple .php files. In all cases, WordPress loads wp-config.php file which contains database credentials and other important information required for normal operation.

So what happens if both index.php and wp-config.php are infected with the gumblar backdoor scripts? Since Gumblar injects identical backdoor scripts into files on the same site, they’ll have declarations of identically named functions, which PHP doesn’t allow. Hence the “cannot redeclare zsmh() …” error.

Back in may, Gumblar scripts correctly handled this situation. But in the current incarnation of the attack they slightly changed the code of the backdoor script and the “if ( !isset($zsmh1) ){” condition can’t prevent redeclaration any longer. It’s clearly a bug and lack of testing.

All types of complex PHP sites affected

The same thing happens to other types of complex PHP sites (e.g. Joomla, Drupal, phpBB, vBulletin, Zen Cart, etc.). Once you remove WordPress specific wp-config.php keyword from the previous Google search, you get 243,000 results that mainly consist of links to compromised sites and to posts about problems with the “redeclaration errors” on compromised sites.

I slightly tweacked Google searches to get this interesting results:

Side effects

As you can see the number of affected sites is very impressive. Luckily, the bug in the malicious code prevents hacked sites from serving malicious content and infecting their visitors. This is probably one of the main reasons why this incarnation of Gumblar is not as successful as its May predecessor. While the number of compromised websites is pretty much the same, the number of client infections (something that AV companies keep track of) is significantly smaller since the bug made those sites harmless to web surfers.

To webmasters

The fact that their broken websites are harmless to web surfers is a poor consolations for webmasters of hacked sites. I hope you’ll be able to find some useful information here that will help clean up and secure your sites.

Cleaning up

In my previous posts, you can find detailed detection and removal instructions. This time I’ll add one more important step.

Database driven sites such as WordPress and Joomla, usually store database credentials in configuration files (wp-config.php for WordPress). Usually in plain text. Since hackers use stolen FTP credentials, they have full access to compromised web sites. They can easily retrieve database passwords and use them to modify data stored there. They can also retrieve credentials of existing site users (think admins) or create new users with administrator permissions. So even if you remove all original gumblar backdoor scripts and change FTP passwords, hackers can still control your site.

That’s why it is very important to change database and site (WordPress, Joomla, etc.) passwords after this sort of attacks. You should also check your database for malicious records.

If you use WordPress you might want to give WordPress Exploit Scanner a try. This plugin scans WordPress files and database for signs of suspicious activity.

Here is another insightful article that explains how to find backdoor scripts (both in files and in the database) in hacked WordPress blogs.

Contribute

I post WordPress advices here because I use WordPress myself. If you know good resources that can help webmasters of sites powered by other popular PHP scripts, you can post them here.

Any comments are valuable since they make the picture more complete. Thanks.

Similar Posts:

Reader's Comments (16)

  1. |

    [...] This post was mentioned on Twitter by Robert McMillan, arbornetworks, Andre M. DiMino, Denis, Jon™ and others. Jon™ said: RT @unmaskparasites: [blog] Gumblar Breaks WordPress blogs and other complex PHP sites http://bit.ly/isOMP – thousands of sites affected [...]

  2. |

    [...] Gumblar Breaks WordPress blogs and other complex PHP sites Needless to say that standard WordPress files index.php and wp-config.php don’t contain any [...]

  3. |

    [...] Gumblar Breaks WordPress blogs and other complex PHP sites [...]

  4. |

    [...] De acordo com o analista de segurança Denis Sinegubko, aparentemente algumas alterações feitas no código do Gumblar causaram o problema. Estas alterações não foram testadas correctamente o que levou que efectivamente quebrasse os blogues WordPress. [...]

  5. |

    [...] just not only WordPress blogs," but "Any PHP site with complex file architecture can be affected," wrote Sinegubko describing the issue. Crashed WordPress display following error message: Fatal error: [...]

  6. |

    Do you know if this is geared towards specific versions of WordPress or if all versions are at risk? A couple of the point releases for 2.8 addressed some security issues and I’m wondering if one of those fixed this exploit.

    • |

      They don’t specifically target WordPress. They infect any PHP driven websites.

      However, the PHP code they inject into existing files doesn’t take into account complex WordPress architecture, which leads to “redeclaration errors” and breaks compromised blogs.

      So any version of WordPress can be broken. Just like any other complex PHP sites (i.e. Joomla, Drupal, phpBB, etc.)

      In this attack, hackers use FTP credentials stolen from computers of webmaster, so WordPress itself is not to blame.

  7. |

    Of course it stinks that someone would create something like this in the first place, but part of me has to smile at their newbish mistake.

  8. |

    [...] to the blog Unmask Parasites, there is a new version of the Gumblar botnet making the rounds on PHP based websites. Back in May of this year, this malicious botnet was [...]

  9. |

    [...] to Weblog Tools Collection and the blog Unmask Parasites, there is a new version of the Gumblar botnet making the rounds on PHP based [...]

  10. |

    [...] to the blog Unmask Parasites, there is a new version of the Gumblar botnet making the rounds on PHP based websites. Back in May of this year, this malicious botnet was [...]

  11. |

    [...] Gumblar Breaks WordPress blogs and other complex PHP sites [...]

  12. |

    How to remove Trojan: Backdoor

    http://www.tips29.com/2009/01/how-to-remove-trojan-backdoor.html

  13. |

    [...] a set of tools and ways for admins to retake their sites back, which can be found on his blog at this link.  Filed under the category Joomla Rating: 0.00 (login to vote) Tags Gumblar Crashes [...]

  14. |

    I just recently purchased a software program that will protect and eradicate this virus while restoring your infected files to their original state.

    You can see a video on it at: http://www.webserversguardian.com

  15. |

    [...] the corrupted files to your own server. http://www.pcantivirusreviews.com/up…rculating.html http://blog.unmaskparasites.com/2009…lex-php-sites/ http://blog.unmaskparasites.com/2009…jected-script/ [...]