Removal and Prevention of Gumblar.cn Infections

Gumblar.cn is a website is listed to be suspicious and contains several exploit scripts and trojans that might harm and infect computers. Google marked it as not safe for browsing. I first encountered on a website that I am working on and seen how and where it infects the website. What the trojan did on the site is it embeds its encrypted scripts on .HTML, .JS and .PHP files. You can find the Javascript of the trojan on .HTML files prior to the <body> tag while it embeds itself on .JS files at the bottom most of the said script file. On .PHP files, it usually infects INDEX.PHP files and embeds itself either at the top or bottom of the file. I also found some infections on common .PHP files that are usually INCLUDEd as a constant file of the site. The current anti-virus that detects the said virus was AVAST Home Edition with Web Shield and Networking Shield ON.

Here’s what you will see if you will try to surf a site on Google Chrome that is infected by the trojan coming from the said site:

gumblar-cn-googlechrome

Now, how to remove it from your website? Well I found no reference on the net to remove it instantly so what I did is I removed the trojan scripts on each file (.JS, .HTML, INDEX.PHP) that I suspected for infection using Filezilla (FTP client program). For the WordPress infection, what I only did was I re-updated / upgraded the site to the latest version which causes the process to override existing files then remove the script from the WP-CONFIG.PHP file. This is the only file that is not overwritten by the said process that’s why I need to remove the trojan scripts manually.

As always, prevention is better than cure to avoid the pain of fixing the problems it cause to the site and to the owner. Here are some of my suggestions and recommendations I found from different web hosting sites regarding avoidance of hacking and malware infections on your site:

  1. Change the file attributes of the files that doesn’t require writing permissions. I usually set my files to 755 attributes (MOD 755)
  2. Update your antivirus virus database and enable or use network + web shield features at all times. Usually infection of websites starts from the local PC that uses to upload new files.
  3. Read this PHP Security fixes recommended by a web hosting company. It contains comprehensive tips on how to avoid PHP exploits and hacks. Read it carefully and apply it if it is possible.

If you have any better solutions out there or any recommendations on dealing on this kind of exploits/hacks, feel free to leave it here. I am sure that a lot of people will really highly appreciated the help that you can provide.

You can skip to the end and leave a response. Pinging is currently not allowed.
  • digitalpbk

    Hi i have made this script to detect and remove gumblar signatures here
    http://digitalpbk.com/virus/gumblar-web-virus-manual-removal-free-tool

  • http://www.radvanfortuintekoop.nl Haico

    Never store your passwords digital or use some special programm like KeepPassSafe.

    Because getting rid of this kind of malware is something you must prevent.
    Filezilla is not safe. I use it but let the programm always ask for the password. I learned my lesson. It took me 3 full weeks to get clean for sure.

  • LordSilversky

    There’s a little bit more to Gumblar than that, but you summed up the damage it can do. Here’s what I’ve discovered:

    Gumblar seems to be spread through various methods but even if you don’t visit the site that has the additional code injected into it, you can get it through other methods. I’ve read about it getting in with PDF files and Flash files (though I’m not sure about the accuracy on the latter but can see how it would be possible).

    What this beast does is it infects your computer and uses your FTP program to infect your sites. It also sniffs packets going in and out of your computer to get additional FTP info, but if you use dreamweaver or filezilla or something like that, it will use the info you already have stored in your program. All the work is done on your computer, the downloading and changing of the file and reuploading. It just happens in the background.

    From an IT standpoint, this thing is one of the biggest pains I’ve delt with because if you work with alot of sites (I work with over 200 which are stored and many more that aren’t) it’s time consuming to fix it.

  • Ken

    Great info. How do I know if I have this virus?

  • John Davis

    I may be naive and I may be blasted as a “fanboy” but I fail to understand why anyone would use an OS that just doesn’t get security – even after 15 years of trying. Windows is basically flawed, until it gets a total makeover, I suggest using something stable. Linux, Unix or MacOS X.

    These problems don’t happen there.

  • http://cite-technologian.blogspot.com Bert Padilla

    nice post kabayan….

  • Pingback: Kill that Gumblar Worm!

  • http://www.papers.net.ar alberto

    Nice artticle !
    If you suspect that your PC running windows is infected, also delete all temporary internet files.
    Best regards,-A

  • http://www.danielansari.com Daniel Ansari

    I created a script yesterday for automatically removing the trojan from a website, and posted it on my blog. (Since I disinfected my site last night, it may still be reported as an attack site, but I requested a review by Google, so that should be done tomorrow – ignore the warning.)
    http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/

  • http://serenitysjourney.com Bernie

    Howdy…
    I had this nasty guy on my site. I downloaded my entire site to a separate hard drive, then ran avast through the files. I found the infected code (posted below) and removed from each file from my C Panel, changed all PW’s. This was a tough ball to break indeed!
    Good luck!
    script language=javascript>

  • http://www.isra3l.net yonatan

    hello, i have made a little script that can help you detect infected files.
    http://www.blog.isra3l.net/?p=184
    hope this can help you all!
    it works on Linux servers which hosts sites at /home/$USER/public_html/ directories.
    but can be changed to scan at any folder you wish to search from within.

  • http://www.fitnesstrainer.co.il/ מאמן כושר אישי

    my websites were infected with this trojans.
    changin files premitions seems to help
    but how do i solve the source of the problem, how do i prevent my computer been infected again.
    i use update norton internet security and i clean the treats with Malwarebytes its say it finds 93 treats and clean it, but after sometimes i find the treats again on my computer/
    anyone as any idea how to get rid of the treats for good?

  • Catherine Murphy

    Thank you for posting this!

  • http://seo-services-experts.com/ Dan Malciu@link building

    Many of my blogs were affected and I was really surprised to see emails from google webmaster tools about possible infection. Since they didn’t have my actual email address, they tried admin, webmaster, abuse, info and lot of other comment email addresses for the warning email.

    For wordpress blogs people will have to edit index.php from main directory, wp-content directory, theme’s index.php as well as default-filters.php. I hope this helps.

  • http://www.tigersware.com adel sarlak

    I found this virus 10 days ago and 4th of my customers got it .

    We removed it more than 10 times but the next day amazingly it was on all pages again .

    I found the source file .

    I each “Images” folder in your site it will copy a php file “image.php” .

    Before removing the script from pages , you must rewrite a same file instead of image.php and change the permissions .

    Then remove the scripts .

    If your site gets the iframe version as fast as you can , you must remove the iframe then replace the image.php .

    Because google may consider your site as a harmful site .

    A good news is that .asp files won’t get this virus .

    Another thing is that , in cms sites i changes the permissions of template folders !!!

  • http://www.pragmites.com Gaurav

    Thanks for that :)

    Im going to try that out.

  • http://www.pragmites.com Gaurav

    Hi,

    I have been doing some digging around for my self with this.
    Best resource that I have come across is this forum.
    http://www.dynamicdrive.com/forums/showthread.php?t=43390&page=3

    Though, I don’t believe it is a permanent solution, Would like to hear more if someone has some advice.

    Gaurav

    • http://www.bleuken.com bleuken

      Hi Gaurav, thanks for recommending the link. Another thing that I may add for preventing PHP exploits and hacks, disable the anonymous ftp user for the site.