In the comments and in other places, I’ve seen a lot of folks breathe a sigh of relief that they finished cleaning out the JSRedir-R / Gumblar.cn infection, only to shortly thereafter find they got reinfected. It looks like reinfection is happening through compromised desktop computers that seek out FTP username and password information and either send it back to a central location that uses it to infect a site or infects it directly from the compromised computer. It’s possible the computer user didn’t even have to log in via FTP for the infection to occur – the information may just be harvested and sent off somewhere where the actual infection happens. Either way, if you don’t take proper precautions, reinfection will be likely.
Here’s what I did:
- Ran Malwarebytes and Avast on all of my local machines to make sure they’re clean. Required the same of all others using FTP to access the server. So far so good.
- Changed the FTP password
- Cleaned up the infection and made a back up of the cleaned files.
- Withheld the FTP password from all other individuals needing it to make updates until they ask for it. Then, I only give it to one person at a time and watch the site. If it gets reinfected, I’m pretty certain I know who my culprit is.
So far (and I’m knocking on wood here) we haven’t been reinfected. If we are, I have a clean copy I can quickly push up and minimize downtime while I figure out the next steps.
If you happen to have additional or different information about how this trojan infects a web server, I’d love to hear it. Between the information I’ve gleaned over at Unmask Parasites and in the comments of the last post, I think a lot of folks have been helped out, and I’d like to keep that going.
Hi;
Thanks again for the script – worked beautifully yesterday and of course I got reinfected
.
When I try to run it now I get the following :
Warning: fopen(./.ftpquota) [function.fopen]: failed to open stream: Permission denied in /home/server_name/public_html/domain_name/fic_infection.php on line 55
I also tried the other script somebody here is providing and I get the following :
Fatal error: Call to undefined function: file_put_contents() in /home/server_name/public_html/domain_name/file_checker.php on line 120
Any Ideas on this one ? I am by no means comfortable enough to make any kind of changes.
thanks again for your help
Michael
Well, the first error sounds like a permissions error – make sure you have read/write access to all of your files (they should be set to 755 and you should be logged in with the user account that is the owner of those files). There’s a possibility that those files are set to 755 but were written by another user account, which might indicate that a higher-level account gained write access to your directory and simply locked you out. You may need to confer with your web host on that one (who is your web host, by the way?).
As for the second error – I hadn’t heard of the file_put_contents() function. Apparently, it’s a PHP5 only function. Are you running PHP5 or PHP4? If the latter, that script won’t run for you. You may be abler to replace it with fwrite(), but you’ll also need to open the file, get a handle, write to it using the handle then close the file. It’s easier than I make it sound, but if you;re not really a PHP hacker, I can see how it may be intimidating.
I’m currently helping someone else out right now with this by accessing his server directly and trying to fix it. If you’d be interested in hiring me to do the same for you, you can give me a call at 925-246-5449 or use the contact form on the main site (http://www.techknowme.com/contact/) to drop me an email or just ask me here in the comments and I’ll email you directly (looks like I have your email in WP).
But, before you do anything, follow the directions I laid out in the blog post you just commented on. Had you done that prior to being reinfected? Did you get reinfected anyway?
Rob Z.
Hi Rob,
I need help! my domain name is: http://www.ritacramer.com
I’ll tell you, what happened:
1. I read on google “This site may harm your computer”.
2. I called my host, he checked it and told me, that there is a java script on each page.
3. I called my designer. She deleted this on every page, deleted all pages on the remote server and uploaded each page again. This didn’t work. She got the message: This website http://www.ritacramer.com has been reported as an attacked site and has been blocked based on your security preferences”.Please do you have an idea what I can do?
Thanks for your report
Rita Cramer