Comments on: Fighting The JSRedir-R / Gumblar.cn Trojan

By: Rob Z.

Rob Z. — Mon, 18 May 2009 16:41:28 +0000

Chris, in a comment above, posted a link to his company's site where they built a removal script. The only problem I see with such a tool is that the infecting code is morphing, sometimes in the same infection, so it can't reliably catch it all and nothing short of a manual check will really ensure it's clean. However, I've given some thought to writing a new script that looks for the hallmarks of the infection - a LONG line of code immediately after the opening " block in between the and tags in any HTML document and a long line of Java script at the bottom of .JS files - and eliminates them. I think this could be about 80% reliable in cleaning out the code, but the possibility does exist for deleting valid code that actually runs the site. It ultimately depends on how well-formatted your existing codebase is. I'd like to go ahead and write such a script, but I'm sort of crammed on a deadline. I may be able to squeeze it out in the next day or so if I can scratch up the time, but I wouldn't hold my breath on it at this point. I'll see what I can fit in.

By: Jigar

Jigar — Mon, 18 May 2009 15:48:37 +0000

I have a similar virus issue for my sites. I have over 200 websites that are affected by this. Hence you can imagine the number of files that are affected with this. Please can you help me with locating any type of tool/code that will automatically remove the “junk” lines from my coding. I unfortunately do not have backups for all of them. Please advise.

You have suggested above to download the zip file from here http://www.techknowme.com/blog/resources/fic_infection.zip
What do I have to do thereafter, please advise?
Regards

Jigar

By: michael

michael — Mon, 18 May 2009 01:31:14 +0000

Hi;

Spent the last 4 hours cleaning and as of rigth now we are clean again.

my img files were all gifimg.php files and I also noticed a couple of .html files that contained the code.

I found one ( large ) txt. file it wrote that contained approx. 3000 urls ( not the kind of site you would visit I hope ) – it only wrote the folder names i.e. “/nude-puppy-pics.htm” – so I am not sure if the java script completes the first part.

thanks again for everybody’s help

cheers

Michael

By: Jim S

Jim S — Sun, 17 May 2009 20:19:03 +0000

Please ignore the last post. I’ve been dealing with this too long and need a break. I opened the wrong copy in notepad.

SORRY!!!!

By: Jim S

Jim S — Sun, 17 May 2009 20:08:28 +0000

I found that code when I opened an html file with Dreamweaver and it was ‘greyed’ out so I can’t delete it. It was just after However, I got the same file opened in notepad, and the code is nowhere to be seen. So help me understand this. Hope this helps….

By: Rob Z.

Rob Z. — Sun, 17 May 2009 19:40:03 +0000

Are your files hosted on a Linux or Windows server? If on a linux server, make sure they’re set to at least 755 (that’s read/write/execute for the user and read/execute for the group and non-user accounts) and that you’re logged in as the user who owns the files. If you have root access, you can go in and change the permissions yourself. If not, you’ll need to call your web host and ask them to reset the permissions so you can access them.

If you’re on a Windows server, you need to be logged in as an administrator to change those files from read-only. If you don’t have that level of access, contact your web host.

One more point on Chris’s script above – I just downloaded it and took a quick look – looks like a winner. However, the point he made about this trojan morphing is an important one – this script will NOT work for all infections, and may not even clean your infection completely. If you look at Joanna’s post above, you’ll see a script that looks like it may be one of the infection scripts. It apparently assigns function names randomly upon infection but tracks them internally. This makes it WILDLY difficult to create an automated cleaning solution. Your best bet, in m opinion, would be to

1. Go into every directory names “images” and empty out any PHP files you find in there that you don’t expect to see (it’s rare those directories should have anything other than GIF and JPG files anyway). Don;t delete them, just open them and delete their contents, leaving an empty file.

2. Open every .js file you have and remove any inserted code from the bottom of the file. It will be a TON of JavaScript code on a single line.

3. Go through every HTML file and kill off any blocks located between the closing tag and the opening tag – that’s improper HTML formatting anyway, so an automated script that looked just for that and cleaned it out may not be a bad thing.

4. Go through every PHP file and look for a long line of PHP code immediately adjacent to the opening < ?php tag. You should be able to just kill that and be good.

If this is all greek to you, ask your friendly neighborhood geek to handle this for you (ahem: http://www.techknowme.com/contact/). You may want to back it all up before you make any changes, but make sure your anti-virus and anti-malware software is all up to date before you do ANYTHING, otherwise you may reinfect yourself.

By: Jim S

Jim S — Sun, 17 May 2009 19:22:17 +0000

Great Information and it all really helps…..In my case I got all of the aforementioned file types infected. They also changed the file permissions and now I can’t open them. Tried using notepad and still can’t open them. Any ideas. My AVG has identified all of the infected files and I would like to open and clean them.

But how to get into them is my puzzle.

HELP!

By: Rob Z.

Rob Z. — Sun, 17 May 2009 19:18:22 +0000

Chris – thank you for posting this! When I have a free moment, I’ll check it out. We haven’t been reinfected (knock on wood) but I’d rather use something that’s automated completely than have to manually go through this again.

I have seen that it was morphing – it even morphed within the infection on our server – not all of the functions were (GxC).

By: Chris

Chris — Sun, 17 May 2009 14:13:25 +0000

Hello,
first of all, Gumblar is morphing, which means it changes in every infected site; from what I know till now, not the php code but the javascript functions; yours is (GxC), mine is (r4Pp).

secondly, I would like to point out how correct you are in keeping the image.php file and not deleting it.

third, one more of gumblar’s morphing, I didn’t get an image.php file, but a gifimg.php file!

I developed a script that will check all your files and folders, and will destroy the malicious GUMBLAR code in your affected files.

The program will list all potentially infected files, and will try to clean
them. If successful, a “CLEANED” notification will be displayed.

Download the zip file from our site, http://www.axxis.gr
Go to the ‘Customer Login’ page
( http://www.axxis.gr/index.php?option=com_customersupport )

The distinctive characteristic of gumblar is its ability of morphing, so this script may need additional checks in the future. You are all welcome to send your “version” of gumblar code, and I will try to fix this too.

By: Rob Z.

Rob Z. — Sun, 17 May 2009 05:07:51 +0000

Glad I could help!