Gumblar.cn Web Site Infection Removal

Here is the process I used to clean gumblar.cn off of our site, and it appears to have worked. (still waiting to see if it comes back)

I used the “Replace in Files” feature of Visual Studio 2008, which saved me from manually removing malicious code from more than 350 files.  If you don’t have Visual Studio 2008, there may be other text-editors with Find/Replace features that will work, but I haven’t tried anything else.

DISCLAIMER: I tried to make the searches specific enough that they will only find the bad gumblar code and remove it, but there is always the chance that these searches will find and replace legitimate code.  USE AT YOUR OWN RISK, or if you are concerned you may want to step through each match one by one to ensure that it is actually a match. At the very least, back up the files first, just in case.

STEPS:

1) If possible, turn off FTP and Web Services

2) In Visual Studio, use Ctrl-Shift-F to open the Find in Files dialog.

3) Enter the path to your web site root in the “Look in” box.  Uncheck the ‘Match whole word’ box. Check the ‘Use’ box and select ‘Wildcards’.

4) In the ‘Look at these filetypes’ box, enter: *.php; *.js, *.html

5) Perform the following searches. This is a good chance to review the results before switch to to ‘Replace in Files’ mode and doing a ‘Replace All’.

Update:  I have noticed since posting this that some of the searches may need to be customized to fit your particular situation.  In particular, Search #1 relies on a certain number of line breaks (\n).  In some cases, there may be one or more additional line breaks before the <body> tag.  I would suggest checking several files manually after running the searches to see if the bad javascript was actually removed, and then modifying the search if necessary.

SEARCH #1: <script language=javascript><!–*\n*\n*<body>
REPLACE WITH:  <body>
*Run this search several times, until no results are found (some files may have multiple occurances, and it only removes them one at a time).

SEARCH #2: <?php if(!function_exists(‘tmp_lkojfghx’)*tmp_lkojfghx2(); ?>
REPLACE WITH: nothing

SEARCH #3: <?php eval(base64_decode(*c7′)); ?>
REPLACE WITh: nothing

SEARCH #4: <!–*\n*(function(*.replace(*\n*–>
REPLACE WITH: nothing

6) Once the searches are done, find any folders called ‘images’.  They should each have an ‘images.php’ file, which should now be empty. Change permissions on these files so that no user can alter or modify them.

7) Change the passwords on any accounts used to access the server by FTP.  It may also be a good idea to change other admin account passwords, just to be safe.

8) Turn FTP and Web services back on, and then periodically use the searches above to see if the infection returns.

These steps worked for me, but may not work as well in other cases.  I hope they can be of use to some of you, though.  🙂  Good luck, and take care!

-Kevin

Advertisements