In the past few weeks, a Trojan (Troj/JSRedir-R) has become the most prevalent malicious infection to ever hit websites. According to Sophos, this Trojan accounts for 42% of all infected web pages in the past two weeks. This Trojan typically targets PHP sites, and is not caused by a vulnerability in the scripts you run. Once the Trojan is on your local computer, it searches for FTP credentials and then uses them to modify the files on your website. FTP clients that store their passwords in plaintext, like FileZilla, are particularly vulnerable to this.
Checking for Infection
- Code: Select all
- Code: Select all
If you have found one infected file, there will be more. The easiest way to find all of the infected files is to use a Diff tool and compare your files against a clean copy.
Since this is caused by a Trojan on your own machine, that is the first place to start. Scan your computer with antivirus and antispyware tools. Once it has been removed, change all of the passwords on your website (FTP, control panel, etc..). Then you can begin cleaning your website. Since the effects are typically widespread, the fastest and most effective way to clean the files are to delete all of them and restore them from a backup. For sites that have MODs installed on their boards, and have no backups, this will be a very tedious process.
The best way to protect yourself from attacks like these is to keep your antivirus and antispyware software up-to-date. If you don’t have that software, then you should get it. When uploading files to your server, you should try to use an SFTP or SCP connection if your host has it available. If you are using FTP clients that do not encrypt their passwords, be sure to not save your FTP credentials.
More information can be found here:
Gumblar.cn Exploit, 12 facts about this injected script
A few more facts about the gumblar attack from sophoslab and scansafe
Martuz.cn is a new incarnation of Gumblar exploit