How to deal with a website hacked by the Gumblar Trojan

How to deal with a website hacked by the Gumblar Trojan

Gumblar is a code injection attack that originated around 2010 where the hacker introduces malicious code in the victim's website files. The attack happens when the computer of the website owner, developer or server administrator is compromised and used to upload malicious content to his own website hosting server after gaining access to his ftp login credentials. Malicious code is embedded in html, PHP, ASP and Javascript files on the web server. Anyone visiting the website is subjected to the risk of being attacked themsleves just by browsing the site making the spread of GUMBLAR hard to control.

If you thinnk your site has been hacked, you will need to sort your site files by the latest modified date and then open some of the files and see if you can see whether any malicious script has been inserted.

The Gumblar script can be found either at the top of the pages, and may also be at the bottom of the web page. If your file has a closing HTML tag you may find the GUMBLAR code placed just below this eevn if it is in the middle of your file.

You can read more about Gumblar at :
https://en.wikipedia.org/wiki/Gumblar

How to fix the hack by Gumblar?

It should be noted that the infection due to Gumblar attack is not because to any web server vulnerability. Most hosting providers enforce stringent security measures to safeguard your data. The attack is perpetrated through stolen FTP login credentials. It transmits FTP information to the hacker's IP address, from an infected machine. This FTP information is then used to log in to the web server and infect the hosted website. So, the infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.

Below are the steps you can follow to fix your website :

1. Run a full anti virus scan over ALL machines that have FTP access to this site.

You should also run a scan with Malwarebytes Anti-Malware which is a free download.

2. Once the virus has been found please change ALL FTP passwords.

Possibly change them straight away actually and then change them again once the hack is locked down.

3. Open every infected file on your site and delete the hacker script.

Look for all files with the change date of the hacked date.

The script will either be at the top of the file, at the very bottom or it can be hidden in the middle near a closing HTML tag if there is one in the file.

4. Look for any file that should NOT be there. The GUMBLAR trojan also has been known to upload BACKDOOR files which provide access to the entire site even after the FTP details have been changed.


Times Viewed:
2631
Added By:
Wilson Keneshiro
Date Created:
5/17/2017
Last Updated:
5/17/2017