Gumblar Compromised Sites Up Another 9%
As of this 5:30 a.m. PST, Gumblar compromised sites increased another 9%. This brings the total jump from last week to a 215% increase. But there is a silver lining - the 9% jump is the smallest we've seen yet with Gumblar. We think (hope) this is indication that the media attention is making site owners aware and they are getting cleaned up.
Couple of things to keep in mind. ScanSafe data is based on actual customer blocks. So when we count the number of unique domains that have been compromised by Gumblar, we are counting the number of unique Gumblar-compromised domains our customers have visited. (And yes, all ScanSafe customers using our malware service have been protected throughout). The point is, the actual number of Gumblar-compromised domains is much higher than what we are reporting, since our reports are based solely on encounters.
Secondly, site owners who have had their sites compromised by Gumblar should keep in mind that while stolen FTP credentials appear to be the initial means of access, once that access is gained it appears the attackers are 'backdooring' the sites. This means that simply changing the FTP password won't be enough. Site owners will want to check their logs carefully for changes that may have been made post-intrusion. This includes checking things like htaccess, php_includes, and other configuration settings, as well as ensuring directory permissions are set appropriately.
Additionally, some have reported that malicious image files may also have been uploaded to the Gumblar-compromised sites. In some instances, through a process known as MIME-sniffing, the Internet Explorer browser will execute these image files as html. Which means that the scripts hidden inside the booby-trapped images can execute. As an extra precaution, you may want to restore known clean images from a backup.
Last but not least, if you do administer a website that has been compromised by Gumblar, you have to assume that one or more of the computers used to manage that site has been infected. After all, the attackers are gaining initial access via FTP credentials that were stolen as a result of that infection. So don't just clean up your website; you'll want to cleanup any of the computers used to manage that website as well.
Mary Landesman
Reader Comments (2)
I want to thank you for your very useful discussions of gumblar. I had the misfortune to get infected, and thereby have my web site infected, way back before anyone knew what it was, and I have spent countless hours trying to figure out what was going on and trying to get my computer and my web site cleaned up. I have talked with tech support people at my antivirus company and at my web hosting company - all were useless; they knew nothing about this, even when I described the symptoms in detail and talked about 94.247.2.195 and then about gumblar. Yours is the first comprehensive, intelligent discussion of gumblar I have encountered. I wish you sold a product for single-users rather than businesses. I would sign up in a second! Please keep up the blog postings on this threat. I especially appreciate the comments on how gumblar works and ways it might continue to hide itself in computers and web sites. Thank you.
Please notify everyone that regarding gumblar, The malicious site has been changed to "martuz.cn" instead of "gumblar.cn".
The injection code that compromised site already changed , however google not blocked yet.
Thanks