rss feed

ResellerClub

Reseller Hosting Plans

Recently Posted

Archives


Reseller Club Resource Center

Webinars, Instructional Videos and more!
With extensive opinions and insights, the ResellerClub Blog promises to be an enjoyable as well as informative read. We hope you have as much fun reading the posts as we have while publishing them.

Safeguarding your website from Gumblar Attacks

Published by andrew.a | Filed under Important Notifications, Press Release, Support Announcements | On June 9th, 2009

 

Over the past few weeks, several websites hosted on our Linux Servers threw up virus alerts. Further investigation revealed that these alerts were triggered by an injection attack on packages hosted on our servers, commonly known as Gumblar Attacks. FTP logs of these infected packages indicated that machines of the customers who own those domains were compromised and had been used to upload malicious content to their respective Hosting Packages. A few pointers for your benefit:

 

What is a Gumblar Attack?

Gumblar appears to be a combination of exploit scripts and malware. The scripts are embedded in .html, .js and .php files using obfuscated Javascript. They load malware content from Third Party sites without the user’s knowledge, while also stealing FTP credentials from the victim’s computer, which then allows it to spread and infect additional sites. Therefore, when someone visits such an infected site they get infected; if they have FTP credentials for a website on their machine then those sites get infected too. This explains the exponential growth of the exploit in such a short space of time.

 

What makes it different from other Malware exploits?
There are a number of aspects to this exploit that not just help it spread, but also make it difficult to remove. Firstly, it infects users browsing legitimate websites; if these users are webmasters then it infects their websites by using their FTP credentials to inject the script into their site. The obfuscated malicious code being dynamically generated, makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site, it can also vary from page to page on that the one site.

 

For a more detailed read, you can check out the following news article.

 

What steps have we taken?

  1. As a precautionary measure, we have blocked FTP services on our Linux Hosting Servers. This will prevent infection of any other Hosting Package. We are in the process of removing malicious content from all those packages that was infected as a result of this. However if we re-establish FTP connections, your clients will re-infect their respective Hosting Packages since their machines are likely to be compromised.


  2. We will be shifting to a Secure FTP connection and resetting everyone’s FTP passwords across all Linux Hosting packages. You can modify these passwords from your respective Control Panel at a later date. We strongly urge you warn your Customers about this worm and ask them to scan their machines given its exponential spread so far.

 

-ResellerClub Support Desk

 

http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/digg_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/delicious_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/blogmarks_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/furl_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/technorati_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/google_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/facebook_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/yahoobuzz_48.png http://blog.resellerclub.com/wp-content/plugins/sociofluid/images/twitter_48.png
June 9th, 2009

4 Responses to “Safeguarding your website from Gumblar Attacks”

  1. Anand () says:
    June 10th, 2009 at 5:28 pm

    On reading more about the Gumblar attack, it appears that the malware got the FTP passwords from Filezilla in the compromises PCs. Filezilla maintains FTP passwords as clear text, which the malware could easily copy.
    Can you suggest a more robust FTP software (other than net2FTP, which is on the control panel), which is not so vulnerable.

    Regards,
    Anand

  2. andrew.a (http://www.resellerclub.com) says:
    June 11th, 2009 at 8:08 am

    Hello Anand,

    You can use WS FTP for connecting to the server using the secure ftp connection.

    You can find more details on configuring ws ftp and to connect to the server in the below KB link
    http://manage.resellerclub.com/kb/servlet/KBServlet/cat210.html

    Regards,
    Andrew

  3. Masud Vorajee (http://www.indoushosting.com) says:
    August 21st, 2009 at 12:06 pm

    Go through this :

    http://www.unmaskparasites.com/security-report/

    Go to this URL and see if your site or page is infected?

    Login to your SSH and run this command :

    cat /var/log/messages|grep uploaded|grep XXXXXX

    XXXXXX = User ID of your client account [ Assigned via WHM or cPanel ]

    Once you run this,

    It will show you all the disturbed / modified site names which were done using FTP.

    Check if your infected pages has any iFrame in it like this?

    If yes then remove it!

    Scan your computer with a GOOD spyware like SpyBot / SpyHunter etc and then change your FTP password.

    Keep checking if the iFrame is back after doing this?

    Good luck!

  4. Fernando (http://forum.maxsite.org/viewtopic.php?pid=28849) says:
    November 19th, 2009 at 11:43 am

    Thanks for the information!!!!!!!!!!!

Leave a Comment


Note: Enter the text displayed in the image above for your comment to be posted.