FTP virus spreading in new ways

Posted May 19th, 2009 in Blog Highlights, Tales From the Support Team, Tech Corner. Tags: , , .

An earlier blog post described how several of our customers got their personal computers infected by a new virus that has been spreading across the Internet. Initial versions of the virus spread themselves by reading a Web site’s FTP username and password stored on the PC, then downloading Web pages, inserting an “iframe” tag, and re-uploading the Web pages back to the server. As a proactive measure, we started scanning all uploaded files and stripping out any malicious “iframe” tags.

We are now seeing newer versions (commonly called “Gumblar”) which spread by inserting “script” tags with encoded JavaScript code. Because there are several variations of this approach, and because some legitimate commercial scripts use the same technique to hide their source code, we cannot perfectly identify and strip out these infections. Therefore, we will not automatically strip out the “script” tags from any upload file that looks suspicious.

If your Web site is infected, your best solution is to:

  1. Scan your computer for malware. See our prior blog post for links to suggested scanning software.
  2. Change your account password in our control panel (since your account password is also your FTP password).
  3. Change the passwords for any additional FTP accounts you may have defined.
  4. Re-upload (or “re-publish”) your Web site to our servers.

Of course, we always recommend that users run anti-virus software on their systems, and keep backups of their Web site files and data.

4 Comments

  1. on Monday, June 1, 2009 at 8:01 pm (Pacific) Heath wrote:

    I have Analytics installed on my website. The folks at google showed me the exact problem. It seems to be Gumblar or its other name Troj/JsRedir-R this is a link to the blog http://www.cnet.com/1770-5_1-0.html?query=martuz.cn%2F.&tag=srch . What I thought was an annoying Google search redirect on my office computer, was actually a pretty big deal. It got some good suggestions too.

  2. on Tuesday, August 11, 2009 at 8:55 am (Pacific) ddekany wrote:

    The malware family doesn’t just read the passwords that are stored on the infected computer. It also captures them when they are used, possibly even if they are used on another otherwise clean computer. See here.

  3. on Wednesday, October 21, 2009 at 4:47 pm (Pacific) G wrote:

    This is an email I got through an friends email account sent to me through theres, I am sure its a stealing virus-ish page can anyone help me confirm ?

  4. on Friday, March 4, 2011 at 10:27 pm (Pacific) Security Tool wrote:

    Yes i will agree with your words. Some of my friends shared me this information. When you are infecting from FTP Virus to clean your computer click the given link.
    ………………..
    Nic

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds