We were reported of several websites hosted on our Linux Servers showing virus alerts. Our investigations have revealed that these alerts are due to an injection attack on packages hosted on our servers. The FTP logs of the infected packages indicate that the machines of the customers who own those domains are compromised and have been used to upload malicious content to their respective hosting packages.What is a Gumblar Attack?
There are a number of aspects to this exploit that both make it difficult to remove and help it spread. Firstly, it is infecting users who are browsing legitimate websites, if these users are webmasters then it is infecting their websites by using their FTP credentials to inject the script onto their site. The obfuscated malicious code is dynamically generated. This makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site but it can also vary from page to page on the one site.
As a precautionary measure, we have temporarily blocked FTP services on our Linux Hosting Servers. This will prevent infection of any other hosting packages. We are in the process of removing malicious content from every package that was infected as a result of this. However if we re-establish FTP connections your clients will re-infect their respective hosting packages since their machines are likely compromised.What we are doing?
We will be shifting to a secure FTP connection and resetting everyone's FTP passwords across all Linux Hosting packages. You can later on modify these passwords from your website management panel.
1Oasis Support Desk