| Back in May and continuing into June, we saw a sharp | | | | This could result in a serious decrease in traffic to |
| increase in the number of compromised websites due | | | | your site, and a loss of confidence by your visitors in |
| to the Gumblar infection. This virus/malware would | | | | the trustworthiness of your company. In addition to |
| infect a PC, and then pass any FTP usernames and | | | | Google Safe Browsing, other anti-virus programs may |
| passwords it could find stored in any FTP program on | | | | also block your site, increasing the impact of this |
| the computer back to the Botnet. The hackers would | | | | compromise. |
| then use this FTP information to upload malicious | | | | "What can be done?" Here are a few things you can |
| code into webpages to continue to infect more PCs. | | | | do to clean this up, clean up your PC, and keep |
| These attacks lessened in July, but August has | | | | things secure moving forward: |
| brought a new wave of these infections. The latest | | | | |
| variants are similar to the original Gumblar virus: They | | | | 1. The first thing to do is clean your infected web |
| collect FTP usernames and passwords from infected | | | | files. Your web host should be able to provide you |
| PCs, and pass these login credentials back to the | | | | with a log of uploaded files by the hackers. They |
| creators of the malware. The hackers then have | | | | may even be able to restore infected files from |
| automated "bots" that log into a website via FTP, | | | | backup. If not, download the infected files, remove |
| download every file that starts with main, index, or | | | | the IFRAME code, and re-upload. |
| default, insert an IFRAME (a hidden frame that can | | | | 2. Next, try to determine which PC or PCs are |
| be loaded on a website) either right after the "" html | | | | infected with malware (any PC that had your FTP u |
| tag or at the end of the file (especially with php files) | | | | p stored could be the source, even a developer's PC |
| and then re-upload this altered webpage to the | | | | or outsourced designer/programmer). Make sure your |
| hosting account. | | | | anti-virus software is fully up to date, and run a full |
| Unsuspecting visitors to these webpages may have | | | | scan. Our clients have had great success using |
| their PCs also become compromised, and the virus | | | | MalwareBytes Anti-malware to compliment their |
| continues to spread. Many people often think these | | | | regular anti-virus software. |
| attacks are due to a compromised script on the | | | | 3. Once the infected PCs are clean, change your FTP |
| website, or that the hosting company's server was | | | | password as soon as possible. |
| hacked/compromised allowing hackers to replace files. | | | | 4. Continue to monitor your web pages and FTP logs |
| Although these two scenarios are possible, it's quite | | | | to make sure the incident does not recur. If you find |
| easy to determine if an FTP compromise was the | | | | out that a developer or outsourced programmer was |
| culprit: | | | | the point of origin, consider giving them limited FTP |
| - FTP Log Files Ask your host to check the FTP logs | | | | access to a specific folder to upload their changes so |
| for the latest logins to your account. This will be an | | | | they do not have account access to your live web |
| easy way to determine if the compromise was via | | | | pages. |
| FTP. If it was, the log will likely show many logins | | | | 5. Consider using a secure FTP connection such as |
| from many different IP numbers and locations. | | | | FTPS or SFTP to work with your files in your hosting |
| "What's the Harm?" Besides the obvious of having | | | | account. |
| your account compromised and vulnerable to | | | | Hackers are realizing that it's much easier to attack |
| defacing, and the spreading of a virus via your | | | | the weakest link to infiltrate websites and servers - |
| website, it is very possible that services such as | | | | personal computers that often are not running the |
| Google Safe Browsing will list your site as potentially | | | | latest patches or up to date security software, and |
| harmful, and many people using the Firefox or Google | | | | whose users may not pay enough attention when |
| Chrome web browser will be greeted with a warning | | | | clicking links and allowing malicious code to run. |
| when they try to go to your site. | | | | |