Author:  Mitch Keeler

Some of you might have heard of Gumblar, and some of you may not have.  So, with that in mind, I thought this would be an important enough security concern to bring up with you all here in the newsletter.  The Gumblar exploit is becoming a big nuisance for many across the Web, so I wanted to create a thread here to discuss the general problem (not site specific issues) so we can all help each other get more informed about the problem.

What is Gumblar?

According to the US-CERT, here is how they define the exploit:

US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.

The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.

According to security experts, if you have run all the latest updates to your computer, and you are using a fully patched system, you should be protected from these attacks.  To They’ve worked by hitting the victim with malicious PDF or Flash files.

How to Protect Your Computer

I would also recommend updating your operating system, (for example, Microsoft Windows users should run Windows Update) to make sure you are totally secure.  Also, to make sure your other programs are up to date, pick up the File Hippo Update Checker.  It will scan your computer and if you have an older version of any program, it will give you a link to download and upgrade to the latest version.

Next, scan your PC with at least one installed anti-virus, one (maybe more) online anti-viruses, and the free anti-spyware programs out there.  Here are a few programs to choose from:

• AVG Free (free anti-virus scanner)
• Trend Micro Housecall (free online anti-virus scanner)
• Avast Home Edition (free anti-virus scanner)
• Panda ActiveScan (free online anti-virus scanner)
• Spybot Search and Destroy (free anti-spyware scanner)
• AdAware Free (free anti-spyware scanner)
• Microsoft Windows Defender (free anti-virus scanner)

Now, that should have your computer taken care of.  Now let us move over to your web hosting account.

How to Protect Your Hosting Account

Once you can be sure you are working from a clean/non-infected computer, you can start worrying about cleaning up your web site files.

Another important step when it comes to dealing with web site security breaches is to get every last bit of the exploit to keep it from coming back. They usually plant a back door. You want to review your web site files and look for anything that does not belong, or you can not identify as being apart of your web site or scripts you have installed.

Here’s the basic list of files/folders on new linux-based (Basic and Business) accounts:

• /etc
• /mail
• /public_html
• /public_html/cgi-bin
• /public_html/.htaccess
• /public_ftp
• /tmp
• /www
• /.lastlogin
• /.contactemail

You may also see the following, depending on your account activity:

• /.fantasticodata
• /.cpanel
• /.cpanel-datastore
• /.htpasswd

You will also want to go through all your files and folders to make sure no infected code still exists.  Also check file and folder permissions, to make sure you are not giving access to the public to modify your hosting account files.  Here are a few more good articles and posts about this problem:

• ScanSafe STAT Blog – Gumblar Q and A
• Gumblar .cn Exploit – 12 Facts About This Injected Script
• PHP Script Injection Exploit in WordPress 2.7.1
• Lunarpages Wiki – Web Site Security Breaches

If you do run into the Gumblar exploit, I hope this helps.  If you have any other questions or concerns, remember you can contact our support team around the clock at support@lunarpages.com.