Back in May and continuing into June, we saw a sharp increase in the number of compromised websites due to the Gumblar infection.  This virus/malware would infect a PC, and then pass any FTP usernames and passwords it could find stored in any FTP program on the computer back to the Botnet.  The hackers would then use this FTP information to upload malicious code into webpages to continue to infect more PCs.

These attacks lessened in July, but August has brought a new wave of these infections.  The latest variants are similar to the original Gumblar virus: They collect FTP usernames and passwords from infected PCs, and pass these login credentials back to the creators of the malware. The hackers then have automated “bots” that log into a website via FTP, download every file that starts with main, index, or default, insert an IFRAME (a hidden frame that can be loaded on a website) either right after the “<body>” html tag or at the end of the file (especially with php files) and then re-upload this altered webpage to the hosting account.

Unsuspecting visitors to these webpages may have their PCs also become compromised, and the virus continues to spread.  Many people often think these attacks are due to a compromised script on the website, or that the hosting company’s server was hacked/compromised allowing hackers to replace files.  Although these two scenarios are possible, it’s quite easy to determine if an FTP compromise was the culprit:

• FTP Log Files
  Ask your host to check the FTP logs for the latest logins to your account. If it looks something like this, you can assume this was an FTP attack:

Compromised FTP Account

…

“What’s the Harm?”

Besides the obvious of having your account compromised and vulnerable to defacing, and the spreading of a virus via your website, it is very possible that services such as Google Safe Browsing will list your site as potentially harmful, and many people using the Firefox or Google Chrome web browser will be greeted with this warning when they try to go to your site:

Site Blocked

This could result in a serious decrease in traffic to your site, and a loss of confidence by your visitors in the trustworthiness of your company.  In addition to Google Safe Browsing, other anti-virus programs may also block your site, increasing the impact of this compromise.

…

“What can be done?”

Here are a few things you can do to clean this up, clean up your PC, and keep things secure moving forward:

1. The first thing to do is clean your infected web files.  Your web host should be able to provide you with a log of uploaded files by the hackers. They may even be able to restore infected files from backup. If not, download the infected files, remove the IFRAME code, and re-upload.
2. Next, try to determine which PC or PCs are infected with malware (any PC that had your FTP u/p stored could be the source, even a developer’s PC or outsourced designer/programmer).  Make sure your anti-virus software is fully up to date, and run a full scan.  Our clients have had great success using Malwarebytes Anti-Malware to compliment their regular anti-virus software.
3. Once the infected PCs are clean, change your FTP password as soon as possible.
4. Continue to monitor your web pages and FTP logs to make sure the incident does not recur.  If you find out that a developer or outsourced programmer was the point of origin, consider giving them limited FTP access to a specific folder to upload their changes so they do not have account access to your live web pages.
5. Consider using a secure FTP connection such as FTPS or SFTP to work with your files in your hosting account.

Hackers are realizing that it’s much easier to attack the weakest link to infiltrate websites and servers – personal computers that often are not running the latest patches or up to date security software, and whose users may not pay enough attention when clicking links and allowing malicious code to run.