|
Gumblar exploit going around...
This somehow got onto one of my sites... anyone else experience this?
http://blog.unmaskparasites.com/2009...jected-script/ |
Had to clean up a customer's site with this a few days ago. Like the article said, it was a compromised ftp password.
I had the customer scan his pc before giving him his new password of course... he said he had Norton and it did NOT find the customer's trojan. I told him to install Avast and rerun the scan - he did and it DID find it. |
Quote:
@Get Naughty: I assume you're using Filezilla, since it attacks only sites that use Filezilla as FTP client AFAIK. If so, I'll try to find how to fix it, but be prepared to some heavy registry editing. Just in case, if you're using Filezilla and you have a lot of sites or sites you don't remember the user/pass because you've Filezilla set to remember it, save your filezilla.xml file in another location and do not change passwords for your servers before cleaning your computer or you'll have to do everything again. My partner Ed has cleaned 2 computers and we had to clean servers as well. This shit is nasty, and Avast catches it, but desn't clean it, no matter what the Avast results say. Plus, most chances are your server is infected and you'll be infected every time you use Filezilla. I'll send a message to Ed to write me the instructions and post it here later as soon as he sends them. In the meanwhile, backup your sites and try to get a backup of your servers before the date you assume you had your sites infected |
Thats fucked up. Yeah I use Filezilla.
|
Hmm. I use FileZilla as well, should I find a new client?
|
Quote:
Alternatively, for further security don't save Filezilla passwords, and use any password tool or simply copy and paste when needed, but if you follow the steps above you'll be probably safe |
Quote:
|
Quote:
Nice read. Thank you. |
Quote:
so here is the way to fix it (thanx muchas ED!!!!!): 1- backup filezilla.xml just in case. Create a clean filezilla.xml file (simply open notepad and save as filezilla.xml without adding anything) 2- backup your registry 3- backup your server. 4- if you don't have Avast, install it, it's free. Download it at http://www.avast.com and scan your PC in thorough mode (NOT FAST MODE!) 5- With Avast installed and running, surf all your sites. If any of them is infected, Avast will warn you. 6- If your server is infected, Avast will tell you which files are compromised. Usually it will be php and js files, but I've seen html files and heard pdf and swf files are infected as well. You may have to edit them or re-upload files. It's faster to reupload, but you may not have the files, so it's your choice. However, wait before doing anything. 7- If you find out either your PC or your server are compromised, do the following:
8- Run Avast again. You'd be fine, but do it to confirm 9- Now clean your server files. If possible (ie Wordpress, Joomla, phpBB, VBulletin and such) replace all but the uploads folders. To play on the safe side, check that folder's php or html files to see if they have the code, if not, you're safe. Since databases aren't compromised, replace the regular files plus your theme or skin's files if you have'em. 10- Also check for strange files that aren't supposed to be there, the most common is image.php 11- Check files up to 2 levels BELOW the infected folder, pay attention to strange php or js files. Check your .htaccess as well 12- Once everything is cleaned, change your FTP passwords 13- Done. Annoying, but that's what you gotta do :( On a side note, it isn't supposed to have a keylogger "per se" (regarding eroticsexxx post), but it will try to download a keylogger that scans for financial info at a later time, I don't know if that's for real, but it's supposed to be that way according to several sources. Another thing: this bitch WAITS before re-infect. Once you've cleaned everything in your server (or you thought you did), it will wait a few hours or up to a couple of days and reinfect you again, so :warning CLEAN EVERYTHING ON YOUR SIDE BEFORE CLEANING YOUR SERVER :warning Just lmk if you have any problem, I'm no expert by any mean but my partner is quite knowlegeable on the matter :) |
Jesus Christ this sounds nasty.
|
Quote:
|
I've been dealing with this since last friday and it SUCKS! I found it by accident...went to check a members user/pass using chrome and when I went to my site it popped a warning which IE and FF didnt. I checked my page and sure enough there was a script in the head tag! Mojohost got on it did a restore on the server and thenext day it was infected all over agian!
I use AVG Premium at home (at least I did til now) and it didnt detect a thing. I installed avast and it found the backdoor.Trojan Over 35k files infected all the html pages on my entire site! over 500 galleries with auto duplicated page for auto submits in each! it fucking sucks! I've done a re-install of my OS and scan after scan and nothing so hopefully i'm in the clear. the way i could tell i was re-infected was i went to my site in FF and in the status bar it said waiting for maturz.cn that will tell you your home machine is fucked. ALl good now but what a righteous pain in the tits! :) We didnt know what it was so we did a restore on the server. oh and btw I have filezilla installed but never used it one time after I set it up!!!!! I use Ipswitch so it got my info from filezilla even though I never connected with it! |
Quote:
As I said, this sucker hides itself in your server, and doing further investigation we found out people getting infected on shared hosting (different accounts), which talks very bad about that server, of course. So probably you had some file waiting for you to clean everything and then reinfecting it. Like I said above, it waits up to 48 hours, maybe it waits more, who knows... however, the re-infections usually takes 5-6 hours after cleaning everything. IMHO, they're triggered by infected computers, so any surfer that has the crap I mentioned in their registry will re-activate the trojan in your server by doing a request. Again, that's my opinion, not really sure it's that way Anyway, just be sure to patch FF with the latest version, since the PDF FF plugin was outdated and that was what caused the massive infection, now it's fixed, but you gotta have the latest patches :2 cents: |
thank you so much for the help! :) very much appreciated!
xoxo |
Trying to fix this now but I dont see....
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\JQSIESta rtDetector.DLL - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E311BFF 9-7280-40D3-AE0B-2D3651C37EC8} I have no AppID |
Actually I can't find any of the first part... maybe Avast fixed it.
|
Nasty shit indeed! :Oh crap
Fortunately, I am running avast all the time along with sophos. |
Quote:
|
All Avast found and all I could find was JQSIESta rtDetector.DLL
|
Bump this got taken care of but you guys should all read this. Its bad stuff.
|
Quote:
|
Yup, i've been dealing with all of these lately
reddii.ru brugeni.net gumblar.cn internetcountercheck.com nakulpi.net complete fucking nightmares. You should check your source codes for all of these |
| All times are GMT -7. The time now is 04:31 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123