In the past few weeks, a Trojan (Troj/JSRedir-R) has become the most prevalent malicious infection to ever hit websites. According to Sophos, this Trojan accounts for 42% of all infected web pages in the past two weeks. This Trojan typically targets PHP sites, and is not caused by a vulnerability in the scripts you run. Once the Trojan is on your local computer, it searches for FTP credentials and then uses them to modify the files on your website. FTP clients that store their passwords in plaintext, like FileZilla, are particularly vulnerable to this.
Checking for Infection
The first sign of infection will be either your antivirus alerting you, or your browser stating that your webpage contains harmful content. The latter is no longer a valid sign as the new variant of Gumblar, Martuz, will not show the malicious content to browsers like Chrome and Safari. Should neither of these appear, you should view the source of your webpage to look for the malicious javascript. The code is usually added immediately before the <body> tag, and it starts as: (Note: The variable names may differ from site to site)
- Code: Select all
(function(jil){var xR5p='%';eval(unescape(...
The Gumblar and Martuz Trojans do not target just .html files, they affect PHP and JS files as well. The malicious code is typically added at the very top or very bottom of PHP files and is either an echo printing out the javascript, or a PHP script that starts as:
- Code: Select all
if(!function_exists('tmp_...
If you have found one infected file, there will be more. The easiest way to find all of the infected files is to use a Diff tool and compare your files against a clean copy.
Removal
Since this is caused by a Trojan on your own machine, that is the first place to start. Scan your computer with antivirus and antispyware tools. Once it has been removed, change all of the passwords on your website (FTP, control panel, etc..). Then you can begin cleaning your website. Since the effects are typically widespread, the fastest and most effective way to clean the files are to delete all of them and restore them from a backup. For sites that have MODs installed on their boards, and have no backups, this will be a very tedious process.
Protecting Yourself
The best way to protect yourself from attacks like these is to keep your antivirus and antispyware software up-to-date. If you don’t have that software, then you should get it. When uploading files to your server, you should try to use an SFTP or SCP connection if your host has it available. If you are using FTP clients that do not encrypt their passwords, be sure to not save your FTP credentials.
More Information
More information can be found here:
Gumblar.cn Exploit, 12 facts about this injected script
A few more facts about the gumblar attack from sophoslab and scansafe
Martuz.cn is a new incarnation of Gumblar exploit
Posted by Jabe on May 22nd, 2009 at 8:38 am:
So what is the best way to encrypt Filezilla passwords? Or use SFTP or SCP? Do you have any tutorial?