In a follow up to the PHP Injection Script Exploit Gumblar.cn, there is a new version on the loose: Martuz.cn. It is the evolution of the Gumblar.cn script – much nastier than the first. Instead of just injecting code onto PHP and JavaScript files, it goes further by adding new PHP files to your images directories and adding the script to HTML files as well.

There is more information about these two exploits. It is not just limited to php-based blogs and forums – larger sites, such as Tennis.com, Variety.com, and Coldwellbanker.com have been hit with this exploit, along with over 2,300 other websites. The average internet surfer will discover that their machine is infected with this virus when they realize their Google search results in Internet Explorer and Firefox have been hijacked – clicking on the result you want will take you to some other site. The virus will also go one step further and look for any FTP credentials on your machine in order to inject the script onto more websites. Some sites have reported that the script can also modify the permissions of specific directories to give them access to write in the files within.

What does this mean to website owners?

• Up to an hour (or more, depending on size) of cleaning up and rebuilding each site infected.
• Visitors receiving warning messages through their browser or security software that your site is dangerous.
• Possibility of being de-listed by Google to prevent spreading the virus.

So how do you protect yourself, the average internet surfer?

• Update your Adobe Reader to the latest version, and under the Edit menu > Preferences, uncheck the Enable JavaScript option.
• Update your Flash Player to the latest version.
• Update your security software and scan for spyware / viruses.

How do you clean your infected WordPress site?

• First, protect your machine as listed above. Uploading files onto your website from an infected machine will just lead to more injections of the script later.
• For the previous exploit, simply cleaning the PHP files and JavaScript’s within your WordPress installation, themes, and plugins was seemingly enough. But the new exploit will go further and add the injected script to JavaScript and HTML files anywhere on your site, down to the simple readme.html files that come with themes, plugins, etc.
• The newer scripts also add an images.php and/or gifimg.php file with the malicious code to many or all of your images directories, from the main one down to image directories in themes, plugin folders, and so on.
• If you have to go in and remove the malicious code manually, you will find it in the top of PHP files, near the bottom of JavaScript files, and in the head area of HTML files between script tags. Also in the injected images.php and/or gifimg.php files in image directories. The code can vary from site to site, even page to page.

How do you protect your website from further attacks?

• For WordPress, apply recommended security measures listed in the following articles: WordPress Security Tips, How to Stop Your WordPress Blog Getting Hacked, WordPress Security.
• Do not save/remember your FTP credentials or administrative logins to your websites. Also, be sure to use a secure FTP client.
• Keep a clean backup of the latest changes you have made to your site. The better your backup, the faster your rebuild process if this happens to you.

Thanks to Kristi the owner and author of the Kikolani blog for this great follow up article.

I experienced my first site hack this weekend thanks to a warning message from Kaspersky Internet Security. When I logged into the admin panel of WordPress, it detected the gumblar.cn/rss/?* in my Firefox browser. After a little Google research, I found out that this was a PHP script injection that had found its way into many of the PHP files of my site, including the index.php and index-extra.php of the wp-admin folder, functions.php in the wp-includes folder, index.php in the wp-content folder, custom-functions.php in the Thesis theme’s custom folder, and even the main wp-config.php file in the root. The code was in the beginning of these php files, and started out as follows:

Even after removing the code from the above pages, I still encountered the same warning message from Kaspersky, which meant the injection was in even more php files. I decided that checking each php file was going to take a lot of time, so I downloaded a fresh installation of WordPress 2.7.1 and the Thesis Theme. I only saved my original wp-config.php and custom-functions.php files after removing the injected PHP script because of the custom settings and code within them.

After the fresh installation, I still had the malware code on my site. The final folder that I didn’t check was my plug-ins. Sure enough, after I deleted all of my plug-ins, my site was finally free of the malicious code.

In summary, these were the steps I took to remove the code from my site, which took about two hours:

• Saving the original wp-config.php and custom-functions.php from Thesis after the removal of the script in the top line of the PHP
• Downloading and installing a fresh copy of WordPress 2.7.1 and my current theme, Thesis 1.5
• Deleting all plug-ins and re-installing them from inside the WordPress admin panel
• Changing my WordPress and FTP login passwords to (hopefully) protect my site from further attacks

I can say with certainty that if I had not upgraded earlier in the week to the new WordPress 2.7.1 and Thesis Theme that this cleanup process would have been much more difficult, simply because I would have been forced to do the full upgrade in the middle of dealing with the hack would have been even more stressful. Plus with previous WordPress versions, I would not have been able to simply search and install the new plug-ins through the admin panel – it would have been the download, unzip, upload, and activate. And with any other theme, I would have certainly lost my custom coding in all of the theme template files without a recent backup. Fortunately with Thesis, all of the custom PHP coding is handled in the one custom-functions.php file.

I believe that the code was only on my site for more than four hours, as I had worked on my site earlier around 7pm, and did not receive the first warning message from Kaspersky until 11:30pm. Nonetheless, this goes to show that you should always make sure your antivirus and spyware programs are up to date, and that any coding customizations to your site should be saved often. Any website, trusted ones and even your own, is susceptible to unwanted surprise attacks.

Blog contributed by Kristi at http://kikolani.com/.