I have had some terrible trouble this last week with some of my sites getting attacked by a virus that I now know is also affecting alot of marketers, AND… I have reason to believe, Hostgator users (very likely other hosts) as well…
I’ve spent the week wrestling with coders and hosting support about it and gotten all the information I can on how to prevent it, so I thought I’d share it with everyone here too.
It’s a piece of Malware that infects your local computer, and digs through to find passwords that are stored in programs like password banks, robo forms, ftp programs, etc. It then accesses your site via FTP and adds malicious code to your index pages, which causes Firefox to display a “REPORTED ATTACK SITE” message which (rightly) prevents access to your site.
You then have to go through and delete all the malicious code on any pages that are affected (finding which pages and how many is a matter for your hosting account) before your site can be allowed to view in a browser again. Suffice it to say it’s a right pain in the ass.
So to avoid having this affect you, I advise everyone reading (as I have been advised) to:
1. Don’t store any passwords in password programs like the ones above. If you have passwords saved in these programs, you might consider clearing the records of those programs so that information isn’t available.
2. Run these malware detectors on your computer to ensure you don’t have infections:
Norman | Norman Malware Cleaner
There are many Malware scanners out there and I’ve been told it’s good to run more than one as any given one doesn’t always pick up all infections.
3. There’s suspicion that Adobe Reader has some vulnerability and if you don’t have the latest update you should upgrade it asap.
4. Update your FTP passwords frequently.
That’s all I know for now.
So you don’t get too worried, I’ve been informed that it’s not a particular dangerous hack, it doesn’t delete your site or try to find credit card info or anything, but it’s dangerous enough to cause problems and be highly disruptive to your business.
Good luck!
P.S. While we’re on the subject of security, it seems wholly appropriate to mention this highly recommended report from a buddy of mine about ensuring the security of your WP blogs against hacking attempts. I didn’t know how badly I needed it until the unfortunate events + loss of traffic + loss of income this past week.
Post to Facebook
Share on Twitter
Digg This Article
Save on del.icio.us
Is this a windows-only problem or should mac users be concerned too?
Since it’s web based I’d say Mac users could be affected too… buuut since the problem program needs to scan through files on your hard drive before getting access to your FTP accounts… perhaps not… I’m really not tech enough to know the answer to that but for now I say, better safe than sorry.
Andrew
It sounds like a Windows PC problem since no program can just scan through my files on my Mac.
Spoken like a proud Mac user hehe
I’d say you’re right Brit, I’m not a mac person so you’d know better than I!
Sounds like the Gumblar virus. If you store usernames and passwords in your ftp program and pick up this trojan it will access all your sites and alter many files. It attacked 15 of my sites!!! It creates backdoors so even if you think you’ve removed a few days/weeks later it’s back! I will never store passwords ever again!
Google it for more info. It’s been around since April.
I found it puts extra php code at the bottom of an index files – html, php, etc
Firstly get the malware off your pc using malwarebytes.org then remove all passwords from your ftp program. Get new passwords for each site. Assuming you’ve backed up recently overwrite your sites files and that should clear it.
Detailed removal tips:
http://cantalktech.com/2009/05/29/gumblar-virus-symptoms-removal/
Good luck
Thanks Andrew for sharing this useful info with us. You said:
a) the malware infects the local PC, then
b) goes up to the web server (via your FTP account) and infects the web pages of your site
I suppose that both intrusions, a) and b), only affect local PC and web server where the installed operating system is Windows.
If the local PC and the web server both were Linux, very unlikely such kind of things would happen. Even if FTP is a service known to be prone to attacks (both in Linux and Windows).
Regards. Alvise.
Thanks Andrew, I had a very similar series of incidents a couple of months back in 2 of my wordpress blogs. Drove me absolutely crazy! I kept deleting the malicious code, and they just kept on getting reinfected within a few hours. Finally I managed to kill it in a similar way as you’re talking about. (1) I removed the malicious code from the sites again, (2) I ran a full clean on my own PC (again!) just to make sure I wasn’t going to reinfect the sites myself, (3) I changed each of the access passwords – both the cpanel entry point AND the wordpress dashboard passwords – to REALLY complex passwords. But ones I could remember myself. I included letters in both upper and lower cases and numbers.
After all that, the nonsense stopped. Which proved to me that it was an automated attack straight through compromised passwords. I have no idea how that originally occurred, but it was a great lesson.
Phil
Hi Andrew,
I had about 50 different sites hacked this way, sometime 3 and 4 times before I figured out what was going on. So I think I have some relevant info for your readers.
It is extremely important to emphasize that just changing your FTP password is not enough. The malware is on your local computer (as you say), and the next time you login to a specific site it will transmit the new PW to hacking bot.
As close as I can tell the malware is NOT drilling down into stored information on your computer. Rather, it is picking up the login info when you actually log into FTP sites.
The reason I say this is because I have many FTP logins saved in a program like RoboForm, and the only ones hacked were the ones I had actually logged into in the previous few weeks. Many others that I hadn’t looked at in three or four months were not affected. So it is not necessary to pitch Roboform, or change all your passwords.
If your local computer is infected you can change the PWs all you want. It will just transmit the new ones to the hackers the next time you log in.
So the “correct” procedure (as far as I can tell) is to:
1. Scan and clean your local computer first. I had success with Webroot AntiVirus with AntiSpyware. (I actually reformatted my laptop because it was so screwed up.) Running this program also seems to protect it from future infection from this particular virus. I wish I knew the name of the virus causing this problem, but I haven’t heard from anyone yet who has pinned it down. (I think it is difficult to get information on this because most infected web owners are afraid they will scare off visitors. There is good reason to believe visitors’ local computers will get infected when they open infected pages.)
2. Run a program that intercepts the virus to prevent it from infecting you again. To repeat what I said in #1 above, Webroot has worked for me.
3. Once you are clean (locally) go into your site and change the FTP password.
4. Clean your site. Make sure you get everything. Replacing your site with a clean backup is best. But be aware that just overwriting may not be enough since in some cases new files are created that will not be overwritten by a backup. For example, in some /image folders a file called “image.php” (and another .php file I can’t remember the name of) will be created.
The easiest way to spot infected files is to look at the date. All infected files will have the same date, different from the rest. The hackers insert some gobbledygook usually right after the first tag (but not always). I’ve noticed this code has changed from the first instances to later ones, so the hackers are obviously working hard to “perfect” their system.
It is also worth pointing out that this is not a HostGator or IXwebhosting issue. I have had this problem with sites on 6 or 7 different hosts. As far as I can tell the hack code does not spread from one site to another on the same server, as some have suggested, but rather is picked up directly for specific domains when infected users log in to their own domains.
@Alvise – It has no problem getting into Linux servers. All my sites are on Linux servers. They are not immune to these attacks.
The very same thing happened to me on all the accounts that I have on a completely separate server that I use just for some niche blogs. (gives me a few more IP addresses for linking purposes)
The annoying thing is that the infection didn’t come from my PC, my FTP program or any of my stored passwords…
It came from another users account on the same shared server and migrated across to ALL the accounts on that server!
The worrying thing is that I tend to be quite paranoid about my accounts, strong random passwords that are frequently changed, WordPress always kept up to date, plugins carefully selected, etc.
So through no fault of mine I had two days work to do just to clean up my files!
My suggestion is that if you have sites on a shared server check with your host that they have guarded against this type of cross site scripting attack, otherwise you may get the same problem.
And sorry Mac users, if your hosting company isn’t on the ball it CAN happen to you
Regards
Phil
Thanks for posting Andrew.
I had the exact same thing happen to me last month. All my Hostgator index pages were infected with what I call an iframe worm.
Thankfully,Hostgator helped me correct the problem very quickly.
Change ALL your passwords if this happens to you. It’s a pain, but can be solved.
Cara
I’ve had this too! What was your method and success in getting the block from Google removed once you cleaned up the site? I submitted for reconsideration. Do you think submitting a new sitemap to crawl would help as well? Or is it just a matter of time?
oops, I think I’ve already had it. Now I’ve bought roboform and according to your post that’s no good either, I give up !
Thanks Andrew.
I heard that once it reaches the Server from any user’s PC it then attacks the other sites on that server. Hence it may not be accessing the server from your PC or Mac but still may well affect your site if the Server Owners don’t find out about it quickly so they can take action.
John O’York
Hi Andrew I’m in the same situation as most of my sites got infected too (i even got 1 of my hosting acounts closed because of this or at least that’s what i think and that’s how i found out about it)!
It’s a royal pain to get this sorted, if you don’t do it right these i frames keep popping up in (all) your index files and some function files (if were talking about these same virus)!
I’ve been working on it now for almost a week and think i’ve got it sorted now… hopefully
I just wanted to say “Thanks” for posting the report and your other post! I was lucky that it happened now and not in 5 months when i am traveling again…
Thanks Andrew – I’m running your malware scanner now and rather surprised at the complacency of previous commenters.
Much appreciated!
My online activity uses Linux on a machine with no other operating system. Although no OS is completely safe I’m guessing the hacker(s) go after Windows more than any others.
Hi All
Good to see people sharing problem and solutions but it also shows how much contradictory information is out there. First I suffered from a WP infection originating from another site hosted on the same server as my site, apparently affected over 1000 other sites. The Hosting Company made all the right moves and even recommended a security product/ fix which I purchased. The product recommends using Roboforms. Now I read in this blog and it states not to use Robforms.
So it seems a fix for one problem can be a weakness for another virus/hack etc.
Life on the internet just seems to be updating / fixing problems?
Your right it is a right pain in the ASS.
Regards
Thanks for that Andrew,
I got HIT just over a month ago, and your explanation is the first one I understand.
Still don’t know from where, I wasn’t on any dodgy sites, and McAfee was running 24/7. It started off with a Trojan called twext.exe which apparently crawls your drive, looking for passwords, banking etc., I then discovered these ‘Attack’ screens when I went to some of my sites and seriously considered ‘giving up’ the whole business. I’m getting too old to try keeping up with these cyber ‘bast**ds’. So I took the PC to PCWorld for a health check and they couldn’t remove it without formatting the drive.
Needless to say I hadn’t got any recent backups, so I bought a new laptop and just use my old PC for old client data, never connect to internet with it. It’s as if your home has been robbed and you feel violated. I dread switching the damn PC on now… probably an age thing, I’ll get over it, but your experience has made me realise it can happen to the best, so it not just me being stupid.
Dave
Rick Hendershot is correct. Roboform will not be scanned. Passwords are captured as they are used.
Hmmm…That’s scary stuff!
I just googled “Gumblar virus”, and I found this blog post to be really informative:http://www.webologist.co.uk/2009/05/gumblar-virus-threat-to-the-internet-how-to-remove.html
Hopefully this is something that ends soon, but only time will tell.
Thanks for the heads up and all the insight everyone,
Kyle
I had this very thin happen several months ago. The virus was put on my site through my FTP program. I found out about it when I received an email from Google. I virus scanned my own computer, removed the passwords from my FTP program and re-uploaded all the files for my site. That way I knew I overwrote anything that might be infected. I now keep my passwords in a little notebook on my desk. Biggest concern I have about this kind of attack, other than the hassle factor, is the lost business, and if there is any impact to your search engine ranking
Correction to my previous post – I deleted all files from the server and uploaded again fresh, not just an overwrite. One of the comments above prompted my memory about that. In my case it was probably 6 months ago. Getting the block removed by Google took all of about 15 minutes. Not a big deal
Thank you Andrew, that was a very insightful and interesting post. Will have to watch out for viruses!
@George – As Jeff said, getting the Google block removed can be done very quickly – at least if your site is registered with Webmaster Tools. It was done in minutes.
You could also use http://www.unmaskparasites.com/ to see if your site has been compromised. I had a trojan gumbla and trojan downloader agent on my computer. HG cleaned their side and I had my computer reinstalled but have no idea where it came from which I guess means it could happen again, any time.