WordPress Exploit Gumblar .cn

Last Updated on December 1, 2011 by Dan Nedelko

<p class=entry title>Looks like there is another WordPress exploit out there dubbed Gumblar cn I was actually made aware of it through a pingback from Growmapcom on their <a href=httpwwwgrowmapcomwordpress exploits target= blank>Watch Out for Recent WordPress Gumblar PHP Exploit<a> post<p> <p class=entry title>These attacks are extremely time consuming to clean up trust me Ive had to do it before in the past Its not a quick or easy thing to have to deal with at all<p> <p>There is also an excellent explanation of Gumblar here<a title=Permanent Link to Gumblar cn Exploit 12 Facts About This Injected Script rel=bookmark href=httpblogunmaskparasitescom20090507gumblar cn exploit 12 facts about this injected script target= blank> Gumblar cn Exploit 12 Facts About This Injected Script<a><p> <p>Please proactively protect yourself against this exploit<p> <p><strong>Update<strong> Im quoting a bit from <a href=httpblogscansafecomjournal2009514gumblar qahtml>Scansafes excellent QA<a> about the exploit<p> <blockquote><p><strong>Is this a cross site scripting XSS attack<strong><p> <p><em>No The compromises appear to be the result of stolen FTP credentials and direct manipulation of files on the Web server<em><p> <p><strong>What is the intent of the malware distributed through the Gumblar compromised websites<strong><p> <p><em>The malcode distributed via the compromised websites attempts to exploit PDF and Flash exploits in order to deliver malware that redirects infected users search engine results In these particular attacks the malcode appears to be targeting Internet Explorer users and Google search In addition the gumblarcn malcode installs a backdoor that connects to 7810929112 an IP address of a known botnet command and control that has historically been associated with malware engaged in malicious redirections<p> <p>Reference blog post httpblogscansafecomjournal200958google serps redirections turn to botshtml<em><p> <p><strong>How do these malicious redirections work<strong><p> <p><em>Similar to a man in the middle attack these redirections occur as a result of a man in the browser attack The malcode injects itself into the browser process monitors the requests processed by the browser and injects fraudulent traffic In the case of the Google SERPs redirects the malcode replaces legitimate Google SERPs results with links pointing to malicious or fraudulent websites<em><p> <p><strong>Millions of websites have been compromised over the past year what makes these particular compromises unique<strong><p> <p><em>A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors user awareness increases and website operators begin cleaning the affected sites This is why attackers are constantly pushing new waves of compromise<p> <p>In the gumblarcn attacks the opposite is occurring As website operators attempt to clean up the original compromise or otherwise make changes to the original source code of the htm php and asp pages on their sites the gumblarcn compromise is injected The gumblarcn mal script appears to be dynamically generated and thus varies not only from site to site but also from page to page on the same site In addition the resulting mal script is heavily obfuscated further hampering signature detection methods As a result the gumblarcn compromises are increasing up 188 from last week and a 61 increase from yesterday<br > <em><p> <p>Here are some related articles Ive written that might be helpful<p><blockquote> <p><a href=httpsdannedelkocomwordpresswordpress injection attackhtml target= blank>Wordpress Injection Attack<a><p> <p><a href=httpsdannedelkocomwordpressblock spam wordpresshtml target= blank>Blocking Spam with WordPress<a><p> <p><a href=httpsdannedelkocomwordpresswordpress security pluginshtml target= blank>Wordpress Security Plugins<a><p> <p>Best of Luck<p> <p>Dan<p> <div class=zemanta pixie style=margin top 10pxheight 15px><a class=zemanta pixie a title=Reblog this post with Zemanta href=httpreblogzemantacomzemifiedbb91e2ee bc67 4444 9c1c 671960f2abdb><img class=zemanta pixie img style=border medium nonefloat right src=httpimgzemantacomreblog epngx id=bb91e2ee bc67 4444 9c1c 671960f2abdb alt=Reblog this post with Zemanta ><a><div>