Gumblar Attack - information and initiatives [Updated]
We have been reported of several websites hosted on our Linux Servers showing virus alerts. Our investigations have revealed that these alerts are due to an injection attack on packages hosted on our servers. The FTP logs of the infected packages indicate that the machines of the clients/resellers who own those domains are compromised and have been used to upload malicious content to their respective hosting packages.
What is a Gumblar Attack?
What makes it different from previous malware exploits?
There are a number of aspects to this exploit that both make it difficult to remove and help it spread. Firstly, it is infecting users who are browsing legitimate websites, if these users are webmasters then it is infecting their websites by using their FTP credentials to inject the script onto their site. The obfuscated malicious code is dynamically generated. This makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site but it can also vary from page to page on the one site.
For more information visit:
What have we done?
As a precautionary measure, we have temporarily blocked FTP services on our Linux Hosting Servers. This will prevent infection of any other hosting packages. We are in the process of removing malicious content from every package that was infected as a result of this. However if we re-establish FTP connections the infected client machines will re-infect their respective hosting packages.
What we are doing?
We will be shifting to a secure FTP connection and resetting everyone's FTP passwords across all Linux Hosting packages. You can later on modify these passwords from your website management panel. You should ideally informed and be aware while surfing the internet and visiting websites about this worm and scan your machines thoroughly to ensure that no more infections may occur.
For any further queries and clarification please feel free to mail us at firstname.lastname@example.org.
Posted on: Tuesday, 9th June 2009 8:39 AM