Gumblar exploit going around...

[NaughtyRob]

This somehow got onto one of my sites... anyone else experience this?

http://blog.unmaskparasites.com/2009...jected-script/

[Lycanthrope]

Had to clean up a customer's site with this a few days ago. Like the article said, it was a compromised ftp password.

I had the customer scan his pc before giving him his new password of course... he said he had Norton and it did NOT find the customer's trojan. I told him to install Avast and rerun the scan - he did and it DID find it.

[harvey]

Quote:

Originally Posted by Lycanthrope

Had to clean up a customer's site with this a few days ago. Like the article said, it was a compromised ftp password.

I had the customer scan his pc before giving him his new password of course... he said he had Norton and it did NOT find the customer's trojan. I told him to install Avast and rerun the scan - he did and it DID find it.

yes, Avast finds it, Norton chupa bolas

@Get Naughty: I assume you're using Filezilla, since it attacks only sites that use Filezilla as FTP client AFAIK. If so, I'll try to find how to fix it, but be prepared to some heavy registry editing. Just in case, if you're using Filezilla and you have a lot of sites or sites you don't remember the user/pass because you've Filezilla set to remember it, save your filezilla.xml file in another location and do not change passwords for your servers before cleaning your computer or you'll have to do everything again. My partner Ed has cleaned 2 computers and we had to clean servers as well.

This shit is nasty, and Avast catches it, but desn't clean it, no matter what the Avast results say. Plus, most chances are your server is infected and you'll be infected every time you use Filezilla. I'll send a message to Ed to write me the instructions and post it here later as soon as he sends them.

In the meanwhile, backup your sites and try to get a backup of your servers before the date you assume you had your sites infected

[NaughtyRob]

Thats fucked up. Yeah I use Filezilla.

[st0ned]

Hmm. I use FileZilla as well, should I find a new client?

[harvey]

Quote:

Originally Posted by st0ned

Hmm. I use FileZilla as well, should I find a new client?

not really. This trojan is installed using an Acrobat Reader vulnerability so you get infected when opening PDF files if you didn't update Acrobat. However, if you have Avast or any real antivirus (ie: NOT NORTON!), it will warn you and kill the worm or move it to the chest if you choose to download it anyway. Another way to get infected is opening infected local scripts in your PC. But if your PC is secured with good antivirus and antispyware (I recommend Super anti spyware, it's free and catches almost everything), you won't have any problem. Another way to be safe is to use your PC as an user, not as admin. Do regular backups, make restoration points just in case and you're covered. This applies to everything, not just this trojan, of course.

Alternatively, for further security don't save Filezilla passwords, and use any password tool or simply copy and paste when needed, but if you follow the steps above you'll be probably safe

[eroticsexxx]

Quote:

Originally Posted by harvey

Alternatively, for further security don't save Filezilla passwords, and use any password tool or simply copy and paste when needed, but if you follow the steps above you'll be probably safe

If there is a keylogger or backdoor component in the trojan, nothing is sacred.

[LiveDose]

Quote:

Originally Posted by harvey

not really. This trojan is installed using an Acrobat Reader vulnerability so you get infected when opening PDF files if you didn't update Acrobat. However, if you have Avast or any real antivirus (ie: NOT NORTON!), it will warn you and kill the worm or move it to the chest if you choose to download it anyway. Another way to get infected is opening infected local scripts in your PC. But if your PC is secured with good antivirus and antispyware (I recommend Super anti spyware, it's free and catches almost everything), you won't have any problem. Another way to be safe is to use your PC as an user, not as admin. Do regular backups, make restoration points just in case and you're covered. This applies to everything, not just this trojan, of course.

Alternatively, for further security don't save Filezilla passwords, and use any password tool or simply copy and paste when needed, but if you follow the steps above you'll be probably safe

Nice read. Thank you.

[harvey]

Quote:

Originally Posted by LiveDose

Nice read. Thank you.

np

so here is the way to fix it (thanx muchas ED!!!!!):

1- backup filezilla.xml just in case. Create a clean filezilla.xml file (simply open notepad and save as filezilla.xml without adding anything)

2- backup your registry

3- backup your server.

4- if you don't have Avast, install it, it's free. Download it at http://www.avast.com and scan your PC in thorough mode (NOT FAST MODE!)

5- With Avast installed and running, surf all your sites. If any of them is infected, Avast will warn you.

6- If your server is infected, Avast will tell you which files are compromised. Usually it will be php and js files, but I've seen html files and heard pdf and swf files are infected as well. You may have to edit them or re-upload files. It's faster to reupload, but you may not have the files, so it's your choice. However, wait before doing anything.

7- If you find out either your PC or your server are compromised, do the following:

a) turn off your PC and restart in safe mode
b) open registry (remember: BACKUP FIRST!!!)
c) look for the following registry keys

Quote:

- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\JQSIESta rtDetector.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E311BFF 9-7280-40D3-AE0B-2D3651C37EC8}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\ProgID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\Programmable
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\TypeLib
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\VersionIndependentProgID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\ProxyStubClsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\TypeLib
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\0\win32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\FLAGS
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\HELPDIR
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl\CLSID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl\CurVer
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl.1\CLSID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}

Delete them all

d) Look for the following registry values:

Quote:

- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\JQSIESta rtDetector.DLL]
- AppID = "{E311BFF9-7280-40D3-AE0B-2D3651C37EC8}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E311BFF 9-7280-40D3-AE0B-2D3651C37EC8}]
- (Default) = "JQSIEStartDetector"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\VersionIndependentProgID]
- (Default) = "ieplugin.JQSIEStartDetectorImpl"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\TypeLib]
- (Default) = "{D85100D8-894D-4F80-9697-C220AF4202EB}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\ProgID]
- (Default) = "ieplugin.JQSIEStartDetectorImpl.1"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\InprocServer32]
- (Default) = "[file and pathname of the sample #1]"
- ThreadingModel = "Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}]
- (Default) = "JQSIEStartDetectorImpl Class"
- AppID = "{E311BFF9-7280-40D3-AE0B-2D3651C37EC8}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\TypeLib]
- (Default) = "{D85100D8-894D-4F80-9697-C220AF4202EB}"
- Version = "1.0"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\ProxyStubClsid32]
- (Default) = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\ProxyStubClsid]
- (Default) = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}]
- (Default) = "IJQSIEStartDetectorImpl"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\0\win32]
- (Default) = "[file and pathname of the sample #1]"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\HELPDIR]
- (Default) = "%System%\"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\FLAGS]
- (Default) = "0"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0]
- (Default) = "JQSIEStartDetector 1.0 Type Library"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl\CurVer]
- (Default) = "ieplugin.JQSIEStartDetectorImpl.1"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl\CLSID]
- (Default) = "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl]
- (Default) = "JQSIEStartDetectorImpl Class"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl.1\CLSID]
- (Default) = "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl.1]
- (Default) = "JQSIEStartDetectorImpl Class"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
- (Default) = "JQSIEStartDetectorImpl"
- NoExplorer = 0x00000001

Delete them all

e) just to be sure, search the registry for JQSIE. If you find any occurrence, delete it.
f) close registry, turn off PC and restart in normal mode

8- Run Avast again. You'd be fine, but do it to confirm
9- Now clean your server files. If possible (ie Wordpress, Joomla, phpBB, VBulletin and such) replace all but the uploads folders. To play on the safe side, check that folder's php or html files to see if they have the code, if not, you're safe. Since databases aren't compromised, replace the regular files plus your theme or skin's files if you have'em.
10- Also check for strange files that aren't supposed to be there, the most common is image.php
11- Check files up to 2 levels BELOW the infected folder, pay attention to strange php or js files. Check your .htaccess as well
12- Once everything is cleaned, change your FTP passwords
13- Done. Annoying, but that's what you gotta do


On a side note, it isn't supposed to have a keylogger "per se" (regarding eroticsexxx post), but it will try to download a keylogger that scans for financial info at a later time, I don't know if that's for real, but it's supposed to be that way according to several sources.

Another thing: this bitch WAITS before re-infect. Once you've cleaned everything in your server (or you thought you did), it will wait a few hours or up to a couple of days and reinfect you again, so CLEAN EVERYTHING ON YOUR SIDE BEFORE CLEANING YOUR SERVER

Just lmk if you have any problem, I'm no expert by any mean but my partner is quite knowlegeable on the matter

[DWB]

Jesus Christ this sounds nasty.

[st0ned]

Quote:

Originally Posted by harvey

not really. This trojan is installed using an Acrobat Reader vulnerability so you get infected when opening PDF files if you didn't update Acrobat. However, if you have Avast or any real antivirus (ie: NOT NORTON!), it will warn you and kill the worm or move it to the chest if you choose to download it anyway. Another way to get infected is opening infected local scripts in your PC. But if your PC is secured with good antivirus and antispyware (I recommend Super anti spyware, it's free and catches almost everything), you won't have any problem. Another way to be safe is to use your PC as an user, not as admin. Do regular backups, make restoration points just in case and you're covered. This applies to everything, not just this trojan, of course.

Alternatively, for further security don't save Filezilla passwords, and use any password tool or simply copy and paste when needed, but if you follow the steps above you'll be probably safe

Thanks for the info, much appreciated.

[mariahxxx]

I've been dealing with this since last friday and it SUCKS! I found it by accident...went to check a members user/pass using chrome and when I went to my site it popped a warning which IE and FF didnt. I checked my page and sure enough there was a script in the head tag! Mojohost got on it did a restore on the server and thenext day it was infected all over agian!

I use AVG Premium at home (at least I did til now) and it didnt detect a thing. I installed avast and it found the backdoor.Trojan

Over 35k files infected all the html pages on my entire site! over 500 galleries with auto duplicated page for auto submits in each! it fucking sucks!

I've done a re-install of my OS and scan after scan and nothing so hopefully i'm in the clear.

the way i could tell i was re-infected was i went to my site in FF and in the status bar it said waiting for maturz.cn that will tell you your home machine is fucked.

ALl good now but what a righteous pain in the tits!

We didnt know what it was so we did a restore on the server.

oh and btw I have filezilla installed but never used it one time after I set it up!!!!! I use Ipswitch so it got my info from filezilla even though I never connected with it!

[harvey]

Quote:

Originally Posted by mariahxxx

I've been dealing with this since last friday and it SUCKS! I found it by accident...went to check a members user/pass using chrome and when I went to my site it popped a warning which IE and FF didnt. I checked my page and sure enough there was a script in the head tag! Mojohost got on it did a restore on the server and thenext day it was infected all over agian!

I use AVG Premium at home (at least I did til now) and it didnt detect a thing. I installed avast and it found the backdoor.Trojan

Over 35k files infected all the html pages on my entire site! over 500 galleries with auto duplicated page for auto submits in each! it fucking sucks!

I've done a re-install of my OS and scan after scan and nothing so hopefully i'm in the clear.

the way i could tell i was re-infected was i went to my site in FF and in the status bar it said waiting for maturz.cn that will tell you your home machine is fucked.

ALl good now but what a righteous pain in the tits!

We didnt know what it was so we did a restore on the server.

oh and btw I have filezilla installed but never used it one time after I set it up!!!!! I use Ipswitch so it got my info from filezilla even though I never connected with it!

Filezilla is the most common way, not the only one. However, I'd say it's impossible that you infected your server files by surfing the net on your PC, dunno if I'm undestanding correctly what you say.

As I said, this sucker hides itself in your server, and doing further investigation we found out people getting infected on shared hosting (different accounts), which talks very bad about that server, of course. So probably you had some file waiting for you to clean everything and then reinfecting it.

Like I said above, it waits up to 48 hours, maybe it waits more, who knows... however, the re-infections usually takes 5-6 hours after cleaning everything. IMHO, they're triggered by infected computers, so any surfer that has the crap I mentioned in their registry will re-activate the trojan in your server by doing a request. Again, that's my opinion, not really sure it's that way

Anyway, just be sure to patch FF with the latest version, since the PDF FF plugin was outdated and that was what caused the massive infection, now it's fixed, but you gotta have the latest patches

[mariahxxx]

thank you so much for the help! very much appreciated!

xoxo

[NaughtyRob]

Trying to fix this now but I dont see....
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\JQSIESta rtDetector.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E311BFF 9-7280-40D3-AE0B-2D3651C37EC8}

I have no AppID

[NaughtyRob]

Actually I can't find any of the first part... maybe Avast fixed it.

[Cyber Fucker]

Nasty shit indeed!

Fortunately, I am running avast all the time along with sophos.

[harvey]

Quote:

Originally Posted by GetNaughty

Trying to fix this now but I dont see....
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\JQSIESta rtDetector.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E311BFF 9-7280-40D3-AE0B-2D3651C37EC8}

I have no AppID

Is that the only thing you don't find? If so, then don't worry. If what you mean is that you didn't find anything at all of those values and keys, there are 2 chances: a) you're not infected; or b) you've another virus/trojan (or version of the same virus). This is for the version we had and what we cleaned

[NaughtyRob]

All Avast found and all I could find was JQSIESta rtDetector.DLL

[NaughtyRob]

Bump this got taken care of but you guys should all read this. Its bad stuff.

[harvey]

Quote:

Originally Posted by GetNaughty

Bump this got taken care of but you guys should all read this. Its bad stuff.

nice to hear if you still have trouble just lmk

[smutnut]

Yup, i've been dealing with all of these lately

reddii.ru
brugeni.net
gumblar.cn
internetcountercheck.com
nakulpi.net

complete fucking nightmares.

You should check your source codes for all of these