Thread: Gumblar exploit going around...
View Single Post
Old 05-21-2009, 12:23 PM  
harvey
Confirmed User
 
harvey's Avatar
 
Industry Role:
Join Date: Jul 2001
Location: 127.0.0.1
Posts: 9,266
Quote:
Originally Posted by mariahxxx View Post
I've been dealing with this since last friday and it SUCKS! I found it by accident...went to check a members user/pass using chrome and when I went to my site it popped a warning which IE and FF didnt. I checked my page and sure enough there was a script in the head tag! Mojohost got on it did a restore on the server and thenext day it was infected all over agian!

I use AVG Premium at home (at least I did til now) and it didnt detect a thing. I installed avast and it found the backdoor.Trojan

Over 35k files infected all the html pages on my entire site! over 500 galleries with auto duplicated page for auto submits in each! it fucking sucks!

I've done a re-install of my OS and scan after scan and nothing so hopefully i'm in the clear.

the way i could tell i was re-infected was i went to my site in FF and in the status bar it said waiting for maturz.cn that will tell you your home machine is fucked.

ALl good now but what a righteous pain in the tits!

We didnt know what it was so we did a restore on the server.

oh and btw I have filezilla installed but never used it one time after I set it up!!!!! I use Ipswitch so it got my info from filezilla even though I never connected with it!
Filezilla is the most common way, not the only one. However, I'd say it's impossible that you infected your server files by surfing the net on your PC, dunno if I'm undestanding correctly what you say.

As I said, this sucker hides itself in your server, and doing further investigation we found out people getting infected on shared hosting (different accounts), which talks very bad about that server, of course. So probably you had some file waiting for you to clean everything and then reinfecting it.

Like I said above, it waits up to 48 hours, maybe it waits more, who knows... however, the re-infections usually takes 5-6 hours after cleaning everything. IMHO, they're triggered by infected computers, so any surfer that has the crap I mentioned in their registry will re-activate the trojan in your server by doing a request. Again, that's my opinion, not really sure it's that way

Anyway, just be sure to patch FF with the latest version, since the PDF FF plugin was outdated and that was what caused the massive infection, now it's fixed, but you gotta have the latest patches
__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth
harvey is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote