A problem that’s been plaguing many web sites across the Internet and the web sites of our customers as well is the Gumblar infection. Unlike other attacks that usually subside over the course of a few weeks as web site operators are able to find ways to develop counter measures, Gumblar has found various ways to continue to propagate itself and wreak havoc.
We began receiving a large influx of technical support requests about the issue in early May and our support specialists are still fielding reports of this problem today. The general behavior that we’ve seen is this: a home or office computer affected by the malware records the FTP server credentials and the information is submitted to a botnet that is limited to that single site. This has been the pattern, and we can assure you that our servers have NOT been compromised.
It may be difficult to determine if your web site has been affected by Gumblar or one of its variations, but there are some resources that have compiled information that you may want to reference:
One free utility that you can use is Norton Safe Web that allows you to enter a domain name to see if any reports have been submitted. You may also hear from visitors who are unable to visit your site because of Google’s Safe Browsing, either directly through Google’s search results or through a browser such as Firefox or Chrome.
If your site has been compromised, there are several steps that you will want to take to address the issue. First and foremost, if your web site has been affected, to stop further infection, you’ll want to temporarily stop your web site:
After you’ve stopped your site, the next step involved is to perform a thorough scan of your system for spyware and viruses and take the necessary removal measures.
Once you have successfully cleaned your computer, you will need to update the password for your account using the Account Information page within your DiscountASP.NET Control Panel.
If you have a clean copy of your web site, you will want to remove all of the files on the DiscountASP.NET web server and transfer the files to the server. If for some reason you encounter problems removing the files off the server, contact the Technical Support department to have your web server reset to its default state.
In the event that you don’t have a clean copy of your site, it will be an arduous task but you will need to download the files from the web server to your computer and manually review each file to see if there are any <g;iframe> tags or any <g;script> blocks. A trick that seems to work for most spyware/anti-virus applications is scanning the downloaded files directly, which may help ease the process a bit.
Now, you will need to republish your site and start the web site again.
For customers who are currently hosted on the Windows 2008/IIS 7 platform, a great way to prevent unauthorized intrusion is to use the FTP Manager to deny all access and then add individual IP addresses under the IP restrictions. If you are considering using this method, review the instructions outlined in our “Better FTP security with Windows 2008 and IIS 7” blog post. This is only available for accounts hosted under IIS 7. If your account is hosted on a Windows 2003/IIS 6 server, please contact support for information regarding a migration.
There are additional steps you will want to take to reduce the chance of reinfection.
Head over to Windows Update to install any and all available updates that will patch any operating system vulnerabilities.
Next, install the latest versions of Adobe’s Flash Player and Reader as there have been some variations of Gumblar that target these applications specifically.
As an extra security precaution, it would be prudent to disable one of the features that is continually targeted and seldom used in Adobe Reader which is the native JavaScript ability. To disable the JavaScript ability in Reader, perform the following steps:
- Click on “Edit” from the file menu bar and then “Preferences.”
- From the open dialog box, select the “JavaScript” item.
- Uncheck the “Enable Acrobat JavaScript” box.
- Click the “OK” button to commit the change.
Here’s a visual reference:
Joe Jun
Support Specialist