Wednesday, June 10, 2009

Linux Hosting: Gumblar Attack

Dear Customer,

We were reported of several websites hosted on our Linux Servers showing virus alerts. Our investigations have revealed that these alerts are due to an injection attack on packages hosted on our servers. The FTP logs of the infected packages indicate that the machines of the customers who own those domains are compromised and have been used to upload malicious content to their respective hosting packages.

What is a Gumblar Attack?

Gumblar appears to be a combination of exploit scripts and malware. The scripts are embedded in .html, .js and .php files using obfuscated Javascript. They load malware content from third party sites without the user's knowledge. It also steals FTP credentials from the victim's computer, which allows it to spread and infect additional sites. Therefore, when someone visits an infected site they get infected and if they have FTP credentials for a website on their machine then those sites will get infected too. This explains the exponential growth of the exploit in such a short space of time.

What makes it different from previous malware exploits?

There are a number of aspects to this exploit that both make it difficult to remove and help it spread. Firstly, it is infecting users who are browsing legitimate websites, if these users are webmasters then it is infecting their websites by using their FTP credentials to inject the script onto their site. The obfuscated malicious code is dynamically generated. This makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site but it can also vary from page to page on the one site.

Further Read:
- http://tinyurl.com/m23ncu
- http://news.cnet.com/8301-1009_3-10244529-83.html

What have we done?

As a precautionary measure, we have temporarily blocked FTP services on our Linux Hosting Servers. This will prevent infection of any other hosting packages. We are in the process of removing malicious content from every package that was infected as a result of this. However if we re-establish FTP connections your clients will re-infect their respective hosting packages since their machines are likely compromised.

What we are doing?

We will be shifting to a secure FTP connection and resetting everyone's FTP passwords across all Linux Hosting packages. You can later on modify these passwords from your website management panel.

Regards,
1Oasis Support Desk

No comments:

Post a Comment

Hot phrases for that new domain!

  • S. Chandrasekhar, McKayla Maroney, Gord Downie, Diwali, ... - 1. S. Chandrasekhar 2. McKayla Maroney 3. Gord Downie 4. Diwali 5. Maryland shooting 6. Frederica Wilson 7. Jeremy Lin 8....
    28 minutes ago

Sedo Domain News

More Readings

Domains Resale Specials

1Oasis @ Twitter