Gumblar.cn Web Site Infection Removal

Here is the process I used to clean gumblar.cn off of our site, and it appears to have worked. (still waiting to see if it comes back)

I used the “Replace in Files” feature of Visual Studio 2008, which saved me from manually removing malicious code from more than 350 files.  If you don’t have Visual Studio 2008, there may be other text-editors with Find/Replace features that will work, but I haven’t tried anything else.

DISCLAIMER: I tried to make the searches specific enough that they will only find the bad gumblar code and remove it, but there is always the chance that these searches will find and replace legitimate code.  USE AT YOUR OWN RISK, or if you are concerned you may want to step through each match one by one to ensure that it is actually a match. At the very least, back up the files first, just in case.

STEPS:

1) If possible, turn off FTP and Web Services

2) In Visual Studio, use Ctrl-Shift-F to open the Find in Files dialog.

3) Enter the path to your web site root in the “Look in” box.  Uncheck the ‘Match whole word’ box. Check the ‘Use’ box and select ‘Wildcards’.

4) In the ‘Look at these filetypes’ box, enter: *.php; *.js, *.html

5) Perform the following searches. This is a good chance to review the results before switch to to ‘Replace in Files’ mode and doing a ‘Replace All’.

Update:  I have noticed since posting this that some of the searches may need to be customized to fit your particular situation.  In particular, Search #1 relies on a certain number of line breaks (\n).  In some cases, there may be one or more additional line breaks before the <body> tag.  I would suggest checking several files manually after running the searches to see if the bad javascript was actually removed, and then modifying the search if necessary.

SEARCH #1: <script language=javascript><!–*\n*\n*<body>
REPLACE WITH:  <body>
*Run this search several times, until no results are found (some files may have multiple occurances, and it only removes them one at a time).

SEARCH #2: <?php if(!function_exists(‘tmp_lkojfghx’)*tmp_lkojfghx2(); ?>
REPLACE WITH: nothing

SEARCH #3: <?php eval(base64_decode(*c7′)); ?>
REPLACE WITh: nothing

SEARCH #4: <!–*\n*(function(*.replace(*\n*–>
REPLACE WITH: nothing

6) Once the searches are done, find any folders called ‘images’.  They should each have an ‘images.php’ file, which should now be empty. Change permissions on these files so that no user can alter or modify them.

7) Change the passwords on any accounts used to access the server by FTP.  It may also be a good idea to change other admin account passwords, just to be safe.

8) Turn FTP and Web services back on, and then periodically use the searches above to see if the infection returns.

These steps worked for me, but may not work as well in other cases.  I hope they can be of use to some of you, though.  🙂  Good luck, and take care!

-Kevin

Advertisements

5 Responses to “Gumblar.cn Web Site Infection Removal”

  1. MalwareScene Says:

    Hi.

    The longevity of the mass compromise speaks to the resourcefulness of the attackers. When they first set out, they dropped static attack code into PHP, HTML and other scripts of infected websites, but in time, website owners learned how to detect and remove the infection. The miscreants soon started a second wave of attacks that installed dynamically generated malware on infected sites as soon as the static script was removed.

    Source: http://www.theregister.co.uk/2009/05/14/viral_web_infection/

    • Kevin Harvie Says:

      Thanks for the link. I have used several virus and malware scanners on the system with no results, but I know many of them do not detect this infection yet. I will certainly update the post if I find that the infection returns (I wouldn’t be too surprised if it did). Likewise, I’ll let everyone know if the system runs through the weekend without any signs of infection.

  2. Bill Says:

    Hey Kevin,

    Newbie here. When you say “Enter the path to your web site root” would that be like http://www.google.com/

    (with my site, of course – not google’s).

    If so, how would Visual Studio gain access to the files without an FTP and my user and pass?

    Thanks,
    Bill

    • Kevin Harvie Says:

      Bill,

      These instructions assume that you have access to the server you are hosting the site on. In my case, I ran Visual Studio on the actual web server, so the path to the web root was a local path (i.e. D:\inetpub\wwwroot\). If you do not have direct access to the server, I suppose you could always download the entire site to a local machine, clean the local copies, then delete the entire site from the server and re-upload the cleaned copies. Of course, this would mean there would be some significant down-time. 😦

      Optionally, if you cannot get Visual Studio onto the server itself (i.e. not accessible, or not a Windows server), but can use a Windows machine on the same local network, you could set up a network share to the web root folder on the server, map a network drive to it from another machine, and point the ‘Replace In Files’ feature at the mapped drive. I haven’t tried this, but I imagine it would work.

      -Kevin

  3. Bill Says:

    Thanks a bunch Kevin!!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: