New PHP Exploit on the Loose

by on 05/20/2009 in Security, Security Info & Tips

In a follow up to the PHP Injection Script Exploit Gumblar.cn, there is a new version on the loose: Martuz.cn. It is the evolution of the Gumblar.cn script – much nastier than the first. Instead of just injecting code onto PHP and JavaScript files, it goes further by adding new PHP files to your images directories and adding the script to HTML files as well.

There is more information about these two exploits. It is not just limited to php-based blogs and forums – larger sites, such as Tennis.com, Variety.com, and Coldwellbanker.com have been hit with this exploit, along with over 2,300 other websites. The average internet surfer will discover that their machine is infected with this virus when they realize their Google search results in Internet Explorer and Firefox have been hijacked – clicking on the result you want will take you to some other site. The virus will also go one step further and look for any FTP credentials on your machine in order to inject the script onto more websites. Some sites have reported that the script can also modify the permissions of specific directories to give them access to write in the files within.

What does this mean to website owners?

  • Up to an hour (or more, depending on size) of cleaning up and rebuilding each site infected.
  • Visitors receiving warning messages through their browser or security software that your site is dangerous.
  • Possibility of being de-listed by Google to prevent spreading the virus.

So how do you protect yourself, the average internet surfer?

  • Update your Adobe Reader to the latest version, and under the Edit menu > Preferences, uncheck the Enable JavaScript option.
  • Update your Flash Player to the latest version.
  • Update your security software and scan for spyware / viruses.

How do you clean your infected WordPress site?

  • First, protect your machine as listed above. Uploading files onto your website from an infected machine will just lead to more injections of the script later.
  • For the previous exploit, simply cleaning the PHP files and JavaScript’s within your WordPress installation, themes, and plugins was seemingly enough. But the new exploit will go further and add the injected script to JavaScript and HTML files anywhere on your site, down to the simple readme.html files that come with themes, plugins, etc.
  • The newer scripts also add an images.php and/or gifimg.php file with the malicious code to many or all of your images directories, from the main one down to image directories in themes, plugin folders, and so on.
  • If you have to go in and remove the malicious code manually, you will find it in the top of PHP files, near the bottom of JavaScript files, and in the head area of HTML files between script tags. Also in the injected images.php and/or gifimg.php files in image directories. The code can vary from site to site, even page to page.

How do you protect your website from further attacks?

Thanks to Kristi the owner and author of the Kikolani blog for this great follow up article.

22 Responses to “New PHP Exploit on the Loose”

  1. Colin

    May 20th, 2009

    Great article Kristi :)

    Securing sites and changing passwords are so very important, yet simple measures can mitigate the effects of these attacks.

    The onslaught on mine continues, but security measures in place are holding out well.

    I store passwords externally on a usb drive using Keepass so I can use quite complex ones that I would never be able to remember LOL, and when coming under attack it makes one a bit paranoid about security, checking, scanning and doing it all again :)

  2. John Sullivan

    May 20th, 2009

    I was about 3/4 through when I was saying to myself Damn Franks on a roll :)
    ah then I looked up at the TOP I knew IT LOL:)
    Last night I was going around and saw Kristi’s comments everywhere :) even if there weren’t do follow she was throwing down. Darren and John C and even higher up then that better be saving that cash cause they getting ready to need it. Your heard it here first the next KING of Blogging is a GIRL :)
    thanks
    thumbed
    PS I felt inspired to thank Lyndi from nice2all.com with a post last night if you GUYS ;) get a chance to check it out and know her pls share your thoughts. If you love wp and don’t know her you should :) Thanks

  3. David

    May 20th, 2009

    Does anyone know if this is just a WordPress hack? My old school was recently hacked and they don’t use WordPress – sounds quite similar to this – an images.php file was also created.

    • Frank J

      May 20th, 2009

      David,

      Not only WP, but forums that are running php as well as websites.

  4. Kristi

    May 20th, 2009

    @Colin: Thanks! I’ve applied as many of the security tricks I can, and am hoping that will ensure my site doesn’t get hit by this thing again.

    @John: I was visiting a lot of sites about this and WordPress security yesterday, trying to figure out this issue. Seems like a lot of people want to write about it, but not as many want to help you fix it.

    @David: It doesn’t seem to be just WordPress, or even just PHP sites. I read through comments on some of the posts about this exploit, and people with just HTML and Javascripts on their sites are getting this too. I think they are using the FTP credentials of any site they can get their hands on to spread this thing around.

  5. Fil

    May 20th, 2009

    Here’s my vaccine against the Gumblar worm. Hope this helps.
    http://zzz.rezo.net/Security-beware-of-the-Gumblar.html

  6. KushMoney

    May 20th, 2009

    Lucky we got great people to keep us updated on how to stop this.

    • Frank J

      May 20th, 2009

      Kush,

      That’s what we love to do!

  7. Grand Rapids dating

    May 20th, 2009

    Thanks for the warning!It’s really hard to detect viruses these days, you end up blaming your browser!.

    • Frank J

      May 21st, 2009

      Glad we could help!

  8. bloggista

    May 20th, 2009

    Aww, this is getting scarier – and non-tech savvy bloggers like me have all the reasons to be scared. Thanks for the great tips Frank! As usual, they’re always helpful.

  9. David Hopkins

    May 21st, 2009

    @Kristi – I thought it must have been FTP as some of the sites that have been hacked are custom-built. It could always be some sort of Apache flaw or massive directory traversal punts.

    BTW congratulations on your marriage. Seems all the good gals are getting snapped up :P

  10. Jeet

    May 22nd, 2009

    I had to also edit default-filters.php in one of my wordpress blogs that was affected by this. One of the worst part was I couldn’t login because even wp-admin index.php was affected.

    • Frank J

      May 22nd, 2009

      Jeet,

      Glad you were able to combat the issue.

  11. Kill that Gumblar Worm!

    May 27th, 2009

    […] of links related to the Gumblar trojan : Gumblar explode across the Web Beware of the Gumblar Worm PHP exploit on the loose 12 Facts about the Gumblar Exploit Removal and Prevention of […]

  12. B. Djassi

    May 27th, 2009

    All of the information is good, but it only seems to cover what the malware is and how to keep yourself from getting it. I have it and i need to know how to REMOVE it.

    Please help.

    • Frank J

      May 27th, 2009

      There are many great places to get free scans. Try these;

      Symantec.com
      TrendMicro.com
      McAfee.com

  13. Rome Flights

    Jun 2nd, 2009

    Thanks for sharing the links. Specially the ones with the wordpress security.

    I think it mostly happens in the new wordpress, but I just found out too late I guess.

    • Frank J

      Jun 2nd, 2009

      Better late than never.

  14. David

    Jun 7th, 2009

    I have an oscommerce site and it keeps coming back for some pesky reason. It adds code to my php pages, i download the whole site then do a find for the malicious code. I go to view the site in my browser and i get the virus on my PC again. Grrrrrr.

    Any tips for OSCommerce?

  15. Allan

    Jun 20th, 2009

    Wow nice info you have here. I hope this will help a lot of people. I will tell my friends to read this. Thanks

    • Frank J

      Jun 20th, 2009

      Allan,

      Thanks and glad we could share.