Gumblar, Gumblar...

In our previous Blog post, we informed you about hosting packages on our Linux Hosting environment being affected by Gumblar Attacks. Over the past few days, we have been investigating these attacks, and working on methods to mitigate the damage caused by them; our findings and recommendations are as follows:

• Through our investigations, it was confirmed that the infection was not due to any server vulnerability. We enforce stringent security measures to safeguard your data.
• The attack is perpetrated through stolen FTP login credentials. It transmits FTP information to an IP address from an infected machine.
• This FTP information is then used to log on to the web server and infect the hosted website.
• The attack is not limited to ResellerClub’s hosting services - so far, thousands of websites across a large number of hosting providers have been infected through this attack.

Given the nature and scope of this attack, it is important that proper security measures to be taken at all levels to prevent it. We would like to suggest a few steps that would reduce the vulnerability of your computer and remove existing threats.

Recommendations:

• Install an antivirus program with the latest updates and ensure removal of any malware, trojans or key loggers on any machine that you use to manage your website’s content via FTP. Several free antivirus software like AVG, AntiVir, Malwarebytes are available for this purpose. Regular virus scans will minimize such threats to a great extent.
• Once you are confident of a clean machine, you should change all FTP passwords.
• Avoid storing the new FTP passwords directly on the FTP clients. Variants of this virus have the potential to grab stored passwords from there.

What you need to do at your end to stay in tandem with the steps that we’ve taken:

All websites that were determined to be infected have now been cleared. If you find any discrepancy with the content of your website, please inform our support team immediately.

We have reset the passwords for all FTP users across all Linux Hosting Packages.

• You need to login to your Control Panel and set new passwords for all FTP users.
• It is advisable that you set complex, alphanumeric passwords and frequently change them for additional security.
• Please read our KnowledgeBase article that contains instructions on how to reset your FTP passwords .

As intimated in our previous post, we now support FTP access via Secure FTP (SFTP) only. SFTP will encrypt both commands and data, preventing passwords and sensitive information to be sniffed over the network.

• Please read this KnowledgeBase article which includes more information about SFTP as well as a list of common SFTP clients.

We have also enabled net2FTP connections for all packages, so you may use the File Manager within your control panel to manage your content.

• Please read this KnowledgeBase article for guidance on net2FTP.

For any doubts/further issues that you may face, please feel free to contact us.

Linux Hosting: Gumblar Attack

Dear Customer,

We were reported of several websites hosted on our Linux Servers showing virus alerts. Our investigations have revealed that these alerts are due to an injection attack on packages hosted on our servers. The FTP logs of the infected packages indicate that the machines of the customers who own those domains are compromised and have been used to upload malicious content to their respective hosting packages.

What is a Gumblar Attack?

Gumblar appears to be a combination of exploit scripts and malware. The scripts are embedded in .html, .js and .php files using obfuscated Javascript. They load malware content from third party sites without the user's knowledge. It also steals FTP credentials from the victim's computer, which allows it to spread and infect additional sites. Therefore, when someone visits an infected site they get infected and if they have FTP credentials for a website on their machine then those sites will get infected too. This explains the exponential growth of the exploit in such a short space of time.

What makes it different from previous malware exploits?

There are a number of aspects to this exploit that both make it difficult to remove and help it spread. Firstly, it is infecting users who are browsing legitimate websites, if these users are webmasters then it is infecting their websites by using their FTP credentials to inject the script onto their site. The obfuscated malicious code is dynamically generated. This makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site but it can also vary from page to page on the one site.

Further Read:
- http://tinyurl.com/m23ncu
- http://news.cnet.com/8301-1009_3-10244529-83.html

What have we done?

As a precautionary measure, we have temporarily blocked FTP services on our Linux Hosting Servers. This will prevent infection of any other hosting packages. We are in the process of removing malicious content from every package that was infected as a result of this. However if we re-establish FTP connections your clients will re-infect their respective hosting packages since their machines are likely compromised.

What we are doing?

We will be shifting to a secure FTP connection and resetting everyone's FTP passwords across all Linux Hosting packages. You can later on modify these passwords from your website management panel.

Regards,
1Oasis Support Desk

What's an .ORG?

June & July 2009 is our .ORG months.

Why an .ORG?

Experience the Distinction of .ORG

Trusted across all backgrounds, ages and nationalities, .ORG is where people turn to find credible information, get involved, fund causes and support advocacy. As a premier domain, .ORG provides an unrivaled channel to share ideas, to enhance lives, to advance your mission.

Get The .ORG Advantage

When you buy a .ORG, your organization is linked to a well-established brand of trust and integrity. One of the original top-level domains (TLDs), .ORG became the registry of choice for organizations dedicated to serving the public interest, and today .ORG is considered one of the most trusted domains on the internet.

If your organization is a noncommercial entity, people expect to find you in the .ORG community - nonprofits, foundations, philanthropic and cultural institutions, religious, civic, arts, social and fraternal organizations, health and legal services, clubs and community volunteer groups.

Commercial businesses also benefit. Registering with .ORG lends credibility to the activities of a charitable arm, and it also protects your brand and trademark as represented in your other domain name TLD registrations.

Extraordinary .ORGs

Large and small, local and global, .ORGs influence our world every day, effecting positive change on our planet. The .ORG registry highlights extraordinary organizations every month, and is a proud sponsor of The Webby Awards, the leading international award honoring excellence on the Internet.

The Many Uses of .ORG

.ORG is a non-restricted, versatile Domain Name Extension with global reach!

.ORG users include:	With .ORG you can...
Arts & Culture Associations Clubs and Teams Corporate Philanthropy Fraternal Organizations International Organizations Media Medical Communities Nonprofit organizations Online Groups Political Parties Sports Technology Volunteer Organizations And More!	Advocate Associate Captivate Collaborate Communication Create Donate Educate Eradicate Fascinate Incorporate Motivate Participate Stimulate And More!

Get a .ORG domain for just RM28 or less for the entire 12-month period - COMPARE ELSEWHERE at twice the cost or more! This promotion is valid until 30 JULY 2009.

MOBILIZING innovative DOMAINS for JUNE 2009...

We have restarted quite a number of promotions as well as introducing a few other new ones:-

1. .MOBI with a Free Instant Mobilizer and SiteBuilder
2. .TEL with MX records (just LIVE)
3. 2nd & 3rd level .IN for just RM20 or lower!
4. .TV for just RM80 or less (normally: RM120 - SAVE 33%!)
   
5. .US & .ORG for JUST RM26!!

---

.MOBI Promo + Instant Mobilizer

Based on the tremendous response that we received to our previous .MOBI Promo, we have decided to re-launch it and offer you great discounts once again. Offer starts on 2 JUNE 2009.

What’s more, you can get a .MOBI Sitebuilder and the recently launched Instant Mobilizer, Free with every .MOBI Domain! You can find more details on how you can use the Instant Mobilizer and mobilize your websites in our KnowledgeBase.

Promo Details:

• This Promo is applicable for the first year of Registration only. Hence a two year .MOBI Registration will be billed as Promo Pricing + Regular Pricing for 1 year.


• Renewals and Transfer-Ins will not attract this Promo Pricing.


• There are no restrictions on the number of Domains that can be Registered during this Promo.

---

.TV @ RM 80 only - Restarts

Based on popular demand, our .TV Promo that ended on 29th May has been restarted on 2nd June at 12:30 UTC (20:30 MYT)

Promo Details:

• This Promo is applicable for the first year of Registration only. Hence a two year .TV Registration will be billed as Promo Pricing + Regular Pricing for 1 year.


• Renewals and Transfer-Ins will not attract this Promo Pricing.


• There are no restrictions on the number of Domains that can be Registered during this Promo.

---

.ORG And .US Promo - Begins

As mentioned in our previous mailers, the RM26 Promo is now LIVE. Do make the most of the promo-packed June and get the great discounts.

---

.TEL MX Records - Now Live!

We are proud to announce that you can now add MX records and configure email on .TEL Domains. Simply click on the 'Manage MX Records' button in the Domain Management Console and add the relevant records to get mail@yourdomain.tel. For more information on this new feature, please refer our KnowledgeBase.

---

.BIZ Registry Price Hike

As you may already know, the .BIZ Registry has hiked the pricing for .BIZ Domain. We would like to inform you that 1oasis.net will not be increasing its pricing for .BIZ Domains and you will continue to enjoy the current low pricing.

Get your names @ 1OaSiS, now, while they are still available!
(Over 111,111 new domain names are being registered every 24 hours! That's nearly 5,000 per hour ~ 77 per minute ~ AT LEAST ONE EVERY SECOND adding to the pool of well over 111-million active domains today !!)

Enjoy! Have a great June....