Over
the past few weeks, several websites hosted on Servers threw up virus
alerts. Further investigation revealed that these alerts were triggered
by an injection attack on packages hosted on our servers, commonly
known as Gumblar Attacks. FTP logs of these
infected packages indicated that machines of the customers who own
those domains were compromised and had been used to upload malicious
content to their respective Hosting Packages.
- The
attack is perpetrated through stolen FTP login credentials. It
transmits FTP information to an IP address from an infected machine.
- This FTP information is then used to log on to the web server and infect the hosted website.
- The
attack is not limited to Zap Infotech’s hosting services - so far,
thousands of websites across a large number of hosting providers have
been infected through this attack.
What is a Gumblar Attack?
Gumblar
appears to be a combination of exploit scripts and malware. The scripts
are embedded in .html, .js and .php files using obfuscated Javascript.
They load malware content from Third Party sites without the user’s
knowledge, while also stealing FTP credentials from the victim’s
computer, which then allows it to spread and infect additional sites.
Therefore, when someone visits such an infected site they get infected;
if they have FTP credentials for a website on their machine then those
sites get infected too. This explains the exponential growth of the
exploit in such a short space of time.
Recommendations:
- Install
an antivirus program with the latest updates and ensure removal of any
malware, trojans or key loggers on any machine that you use to manage
your website’s content via FTP. Several free antivirus software like
AVG, AntiVir, Malwarebytes are available for this purpose. Regular
virus scans will minimize such threats to a great extent.
- Once you are confident of a clean machine, you should change all FTP passwords.
- Avoid
storing the new FTP passwords directly on the FTP clients. Variants of
this virus have the potential to grab stored passwords from there.