Browse > Home / WordPress / Wordpress Exploit Gumblar .cn

Wordpress Exploit Gumblar .cn

May 12, 2009

VN:F [1.9.3_1094]
Take a moment to Rate and Review this article:
Rating: 0.0/10 (0 votes cast)

Looks like there is another Word­press exploit out there dubbed Gum­blar .cn — I was actu­ally made aware of it through a ping­back from Growmap.com on their: Watch Out for Recent Word­Press Gum­blar PHP Exploit post.

These attacks are extremely time con­sum­ing to clean up, trust me I’ve had to do it before in the past. It’s not a quick or easy thing to have to deal with at all.

There is also an excel­lent expla­na­tion of Gum­blar here: Gum­blar .cn Exploit — 12 Facts About This Injected Script

Please proac­tively pro­tect your­self against this exploit!

Update: I’m quot­ing a bit from Scansafe’s excel­lent Q&A about the exploit:

Is this a cross-site script­ing (XSS) attack?

No. The com­pro­mises appear to be the result of stolen FTP cre­den­tials and direct manip­u­la­tion of files on the Web server.

What is the intent of the mal­ware dis­trib­uted through the Gum­blar com­pro­mised websites?

The mal­code dis­trib­uted via the com­pro­mised web­sites attempts to exploit PDF and Flash exploits in order to deliver mal­ware that redi­rects infected users’ search engine results. In these par­tic­u­lar attacks, the mal­code appears to be tar­get­ing Inter­net Explorer users and Google search. In addi­tion, the gumblar.cn mal­code installs a back­door that con­nects to 78.109.29.112 – an IP address of a known bot­net com­mand and con­trol that has his­tor­i­cally been asso­ci­ated with mal­ware engaged in mali­cious redirections.

Ref­er­ence blog post: http://blog.scansafe.com/journal/2009/5/8/google-serps-redirections-turn-to-bots.html

How do these mali­cious redi­rec­tions work?

Sim­i­lar to a man-in-the-middle attack, these redi­rec­tions occur as a result of a man-in-the-browser attack. The mal­code injects itself into the browser process, mon­i­tors the requests processed by the browser, and injects fraud­u­lent traf­fic. In the case of the Google SERPs redi­rects, the mal­code replaces legit­i­mate Google SERPs results with links point­ing to mali­cious or fraud­u­lent websites.

Mil­lions of web­sites have been com­pro­mised over the past year; what makes these par­tic­u­lar com­pro­mises unique?

A typ­i­cal series of web­site com­pro­mises reaches peak within the first week or so and sub­se­quently begins declin­ing in inten­sity as detec­tion is added by sig­na­ture ven­dors, user aware­ness increases, and web­site oper­a­tors begin clean­ing the affected sites. (This is why attack­ers are con­stantly push­ing new waves of compromise).

In the gumblar.cn attacks, the oppo­site is occur­ring. As web­site oper­a­tors attempt to clean up the orig­i­nal com­pro­mise or oth­er­wise make changes to the orig­i­nal source code of the .htm, .php, and .asp pages on their sites, the gumblar.cn com­pro­mise is injected. The gumblar.cn mal-script appears to be dynam­i­cally gen­er­ated and thus varies not only from site to site, but also from page to page on the same site. In addi­tion, the result­ing mal-script is heav­ily obfus­cated, fur­ther ham­per­ing sig­na­ture detec­tion meth­ods. As a result, the gumblar.cn com­pro­mises are increas­ing – up 188% from last week and a 61% increase from yes­ter­day.

Here are some related arti­cles I’ve writ­ten that might be helpful:

Word­press Injec­tion Attack

Block­ing Spam with Wordpress

Word­press Secu­rity Plugins

Best of Luck,

Dan

Reblog this post [with Zemanta]
VN:F [1.9.3_1094]
Rat­ing: 0 (from 0 votes)

Related posts:

  1. Word­press Injec­tion Attack
  2. Word­press Secu­rity Plugins
  3. Block­ing Spam with Wordpress

Written by Dan Nedelko · Filed Under WordPress 

Comments

6 Responses to “Wordpress Exploit Gumblar .cn”

  1. Wordpress Backup Plugins by Dan Nedelko on May 15th, 2009 8:50 am

    […] Word­press Exploit Gum­blar .cn […]

  2. Wordpress Exploit Gumblar cn by Dan Nedelko | Paid Surveys on June 3rd, 2009 9:40 am

    […] Word­press Exploit Gum­blar cn by Dan Nedelko Posted by root 1 day 16 hours ago (http://dannedelko.com) Looks like there is another word­press exploit out there dubbed gum­blar cn i was may want to sub­scribe to my rss feed for cur­rent and unique inter­net mar­ket­ing strate­gies sur­veil­lance pri­vacy pow­ered by twit­ter tools com­ment now name required email address Dis­cuss  |  Bury |  News | Word­press Exploit Gum­blar cn by Dan Nedelko […]

  3. öykü on August 2nd, 2009 4:46 am

    Good solu­tion, thanks

  4. Tjene Penger on April 11th, 2010 4:35 pm

    As a word­press blog­ger myself — this was actu­ally quite inter­est­ing read­ing. Should always be aware of the threat of hack­ing and mali­cious attacks on you web­sites… always backup regularily

  5. All Things Patrick on May 14th, 2010 2:11 pm

    From Word­press Back to Drupal…

    After sev­eral years of using Word­press I switched my blog back to Dru­pal. There’s sev­eral rea­sons for this, but some of the more impor­tant issues, to me any­way, included being able to eas­ily do cer­tain things like add exter­nal links to my “Pages” s…

  6. pimapen on August 30th, 2010 9:29 pm

    Well that was much sim­pler than I was expect­ing. Thanks!

Join in on the Discussion! Comment Now: