On the client side, one of the things Gumblar does is steal FTP login credentials. The Gumblar attackers then use these credentials to gain access to websites. The backdoor left on these websites turns the compromised website into the actual malware host. Other Gumblar-compromised sites are outfitted with hidden iframes that point to one (or more) of these hosts. Currently, thousands of Gumblar-compromised sites are now acting as these hosts, greatly exacerbating efforts to shutdown the source of the malware.

Many of the websites are small, probably unmanaged (and possibly abandoned) websites. Many others, however, are active, business-oriented websites (including some in the financial sector). Whether abandoned or actively managed, all of them are serving as active malware hosts and the sheer number of these sites is enabling rapid growth of the dual Gumblar botnet.

Website admins that have shell access can grep all files for base64_decode and identify possible backdoor PHP scripts. It's possible for a web application to use this function in a non-malicious way, but it's a good starting point for files to further examine for unwanted code.

Most of the affected sites will probably be managed solely through FTP (or some Web interface) and the site admins won't have access to the shell. For those, the best bet will be to:

1. Search for unexpected PHP files or for PHP files unexpectedly modified in the past month (sort your file listing by date);
2. Look for a corresponding /s subfolder found in the same location as the suspicious PHP file;
3. Check all folders on the site, as Gumblar may install itself to multiple locations.

You can also check your log files for entries indicating that files have been downloaded from your website and then re-uploaded a few minutes later.

If you discover these symptoms on your website, it's probably wise to assume your site may be compromised with the Gumblar backdoor and, as a result, that your website is actively being used to infect others across the Web.

To remove the backdoor, a thorough sweep of the site will be necessary, deleting the Gumblar PHP files and the accompanying /s subfolders. You should also look for other unwanted changes to the site, paying close attention to folder permissions and configuration settings. Also check for additional and unauthorized admin accounts that may have been added. Of course, the fact that Gumblar was able to compromise the site to begin with indicates that your FTP username and password was stolen at some point and should also be changed.