Wordpress Exploit Gumblar .cn
May 12, 2009
Looks like there is another Wordpress exploit out there dubbed Gumblar .cn – I was actually made aware of it through a pingback from Growmap.com on their: Watch Out for Recent WordPress Gumblar PHP Exploit post.
These attacks are extremely time consuming to clean up, trust me I’ve had to do it before in the past. It’s not a quick or easy thing to have to deal with at all.
There is also an excellent explanation of Gumblar here: Gumblar .cn Exploit – 12 Facts About This Injected Script
Please proactively protect yourself against this exploit!
Update: I’m quoting a bit from Scansafe’s excellent Q&A about the exploit:
Is this a cross-site scripting (XSS) attack?
No. The compromises appear to be the result of stolen FTP credentials and direct manipulation of files on the Web server.
What is the intent of the malware distributed through the Gumblar compromised websites?
The malcode distributed via the compromised websites attempts to exploit PDF and Flash exploits in order to deliver malware that redirects infected users’ search engine results. In these particular attacks, the malcode appears to be targeting Internet Explorer users and Google search. In addition, the gumblar.cn malcode installs a backdoor that connects to 78.109.29.112 – an IP address of a known botnet command and control that has historically been associated with malware engaged in malicious redirections.
Reference blog post: http://blog.scansafe.com/journal/2009/5/8/google-serps-redirections-turn-to-bots.html
How do these malicious redirections work?
Similar to a man-in-the-middle attack, these redirections occur as a result of a man-in-the-browser attack. The malcode injects itself into the browser process, monitors the requests processed by the browser, and injects fraudulent traffic. In the case of the Google SERPs redirects, the malcode replaces legitimate Google SERPs results with links pointing to malicious or fraudulent websites.
Millions of websites have been compromised over the past year; what makes these particular compromises unique?
A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases, and website operators begin cleaning the affected sites. (This is why attackers are constantly pushing new waves of compromise).
In the gumblar.cn attacks, the opposite is occurring. As website operators attempt to clean up the original compromise or otherwise make changes to the original source code of the .htm, .php, and .asp pages on their sites, the gumblar.cn compromise is injected. The gumblar.cn mal-script appears to be dynamically generated and thus varies not only from site to site, but also from page to page on the same site. In addition, the resulting mal-script is heavily obfuscated, further hampering signature detection methods. As a result, the gumblar.cn compromises are increasing – up 188% from last week and a 61% increase from yesterday.
Here are some related articles I’ve written that might be helpful:
Best of Luck,
Dan
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=bb91e2ee-bc67-4444-9c1c-671960f2abdb)
- Building Great Links Link Building is always a topic of conversation for anyone in the world of Internet Marketing. People who push only organic SEO tend to be quite focused on the overall process of building masses of links with target anchor text on sites which may pass link juice. Personally that's a......
- Internet Marketing Tweet Digest 2009-06-21 Setting up optimized portal pages today. Link in, link out, quality content. # NASCAR is pro-legalization of Online Gambling in the United States! http://bit.ly/1jvNm6 via @SilverOakCasino # RT @seoguy0: FEAR GRIPS GOOGLE - New York Post http://bit.ly/d3VY7 # After using Bing.com for the entire day today (as a test)......
- Misconceptions About Search Engine Optimization Image this scene, a youngster boy walks into a barber search and says to the barber, “Don’t touch me, I’m solely here as a result of my mom forced me.” Search engine optimizers are typically place into the position of...
- LinkAdage’s Take On Google's New Search Engine Patent Has Google thrown the cyber world a curveball? Let's fill in some blanks and connect a few dots regarding the recently-filed patent application for Google's latest Search Engine algorithm - Search Engine 125. For those unfamiliar with the inner workings...
Comments
3 Responses to “Wordpress Exploit Gumblar .cn”
Join in on the Discussion! Comment Now:
Sign up to receive free daily Wordpress, Marketing and Viral Marketing strategies and tactics...
Call Me Toll Free
I accept:
[...] Wordpress Exploit Gumblar .cn [...]
[...] Wordpress Exploit Gumblar cn by Dan Nedelko Posted by root 1 day 16 hours ago (http://dannedelko.com) Looks like there is another wordpress exploit out there dubbed gumblar cn i was may want to subscribe to my rss feed for current and unique internet marketing strategies surveillance privacy powered by twitter tools comment now name required email address Discuss | Bury | News | Wordpress Exploit Gumblar cn by Dan Nedelko [...]