Weblog entry #330 for simonw
See all weblog entries made by simonw.
#330
gumblar.cn exploit
Posted by simonw on Thu 4 Jun 2009 at 08:37
One of the sites I work on for fun got hit with this.
Injection of Javascript malware between "/head" and "body" tag, that is obfuscated, the usual replacing "exec" with "alert" shows it is sending folk to gumblar.cn for the rest of the abuse to follow.
The files are owned by the user who should own them, no write permission from www-data. No Apache requests that match the exploit date/time.
So looks like the exploit was done using FTP, or on the end users PC before uploading. Seems I don't have sufficient logging on FTP to establish this for sure. My guess is compromise of the FTP password, or infection on the PC that usually edits the files (someone elses).
Some folk report a trojan that steals the users FTP passwords, but I can't find a convincing explanation. Does anyone here know for sure?
Injection of Javascript malware between "/head" and "body" tag, that is obfuscated, the usual replacing "exec" with "alert" shows it is sending folk to gumblar.cn for the rest of the abuse to follow.
The files are owned by the user who should own them, no write permission from www-data. No Apache requests that match the exploit date/time.
So looks like the exploit was done using FTP, or on the end users PC before uploading. Seems I don't have sufficient logging on FTP to establish this for sure. My guess is compromise of the FTP password, or infection on the PC that usually edits the files (someone elses).
Some folk report a trojan that steals the users FTP passwords, but I can't find a convincing explanation. Does anyone here know for sure?
Comments on this Entry
Posted by Anonymous (88.14.xx.xx) on Thu 4 Jun 2009 at 13:21
That domain has now changed to martuz.cn in some cases.
http://blog.scansafe.com/display/Search?searchQuery=gumblar&m oduleId=1629442
http://blog.scansafe.com/display/Search?searchQuery=gumblar&m oduleId=1629442
[ Parent | Reply to this comment ]
More details.
It is now clear that the site in question has had it's FTP details compromised.
The site was had successful FTP authentication completed for this user from computers in France, Russia and India. The first of these occurred when I believe the malware was inserted, only a few minutes after the normal user FTP'ed to the site. Suggesting, but not proving, that the FTP detailed were compromised at that preceding login attempt.
Still trying to establish how those details were compromised. Haven't yet got feedback from the one person who has legitimate access to those credentials to discuss the details.
It is now clear that the site in question has had it's FTP details compromised.
The site was had successful FTP authentication completed for this user from computers in France, Russia and India. The first of these occurred when I believe the malware was inserted, only a few minutes after the normal user FTP'ed to the site. Suggesting, but not proving, that the FTP detailed were compromised at that preceding login attempt.
Still trying to establish how those details were compromised. Haven't yet got feedback from the one person who has legitimate access to those credentials to discuss the details.
[ Parent | Reply to this comment ]
Credentials seem to have been stolen by a Windows Trojan on the site owners PC.
Only ".htm" and ".html" files were affected (using file time stamps), only in some directories.
Three unauthorised accesses occurred, but only on two occasions were files altered. On the third access it was to change some redirects to the martuz.cn domain.
One oddity is they didn't update all the files that would seem to be easy targets, just particular directories.
User reports AVG updates were disabled by the trojan. Used malwarebytes tool to find a plausible source of the problem. I will recommend a reinstall, but for the moment they are uploading a clean version of the site.
Only ".htm" and ".html" files were affected (using file time stamps), only in some directories.
Three unauthorised accesses occurred, but only on two occasions were files altered. On the third access it was to change some redirects to the martuz.cn domain.
One oddity is they didn't update all the files that would seem to be easy targets, just particular directories.
User reports AVG updates were disabled by the trojan. Used malwarebytes tool to find a plausible source of the problem. I will recommend a reinstall, but for the moment they are uploading a clean version of the site.
[ Parent | Reply to this comment ]