Reply to: 'Gumblar' and 'Martuz' infections

I would love to get my hands on the little sh*ts that create these things. They wouldn't be able to do any more typing when I'd be finished with them.

If your box has been compromised there is only one sure fire way to clean it.

Reinstall!

you can try and pull out all the dodgy files and back doors, but there is no guarantee you will capture everything.

Thanks for this WeWatch...

How do you clean this up - simply remove the eval line?

I'd install Microsoft Security Essentials if I thought Avast had been compromised. Many people on here rate MSE to find stuff that other AVs don't.

Gumblar/Martuz infect many ways

The FTP clients that store the saved login credentials in plain text are usually the ones hit first.

For instance:

1.CoffeeCup Direct FTP
2.TransSoft FTP Control 4
3.Core FTP
4.GlobalScape CuteFTP
5.Far Manager (with FTP plugin)
6.FileZilla
7.FlashFXP
8.SmartFTP
9.FTP Navigator
10.Total Commander

All save the stored login credentials in plain text making it easy for the virus to find and steal them. It then sends them to a server that logs into the website, downloads files, infects them then uploads them back to the website.

I've like Avast, but Antivir might work well too.

For those who think that simply not saving their credentials will protect them, think again. The virus works as a sniffer and a keyboard logger too. So any FTP connection, since it transmits all data in plain text, is easy pickin's for the virus.

As a complete line of defense, you can switch to WS_FTP which encrypts the login information and then also switch to SFTP, if your hosting provider supports it. SFTP encrypts the data stream so it can't be sniffed.

The server will also many times, upload various back doors to the website too. These backdoors will typically be .php files with a string like:

then a long list of characters. This will usually be inserted into the first line of a .php file before the legitimate <?php tag.

So it will actually look like:

These backdoors allow the hackers to re-infect the website after the FTP credentials have been changed and the virus removed.

Just thought you'd like to know...

OK, thanks. At the rate Avast is running, it probably won't be finished till the early hours. I'll remove and install Antivir and see if anything is detected. If AVG, Avast and Antivir find nothing, I guess the PC should be clean.

The message was auto-generated from the ISP and said that my PC 'may' be infected, but I don't want to take any chances. They gave some generic info on what to look out for on your website such as unfamiliar iframes and javascript but can't see anything suspicious.

That sounds like a generic message.

Install Antivir, download everything via FTP from your site. If any of the site files are infected Antivir will throw a warning as they download - I've tried this with a site suspected to be infected and it picked up one php file which shouldn't have been there.

Also do a complete scan of the PC beforehand just to be sure.

Yes, I have a website (well, just one web page so far, proper site under development...) but haen't seen any warnings while browsing. This is what the ISP saying about it:

"In general, these attacks occur when a PC is infected by a browser,
flash or Adobe PDF exploit. Once infected, the infected PC will do
things like searching for saved FTP passwords, install a keylogger
and setup a packet sniffer to sniff for FTP details on your network.

All passwords are then sent to external sites.

These external sites then attempt to FTP to your website, uploading
new versions of your pages with hostile code (usually javascript
and iframes). Anyone who then visits your site will too become
infected if not fully patched up."

Do you have a website? Is that where the warnings are coming from?

Linky to more info

Didn't they give a pointer to specific files or email attachments that are infected?

Could be a generated email warning based on a spurious detection.

Have a go with Antivir which I've found to be excellent compared to the rest.

To be honest, I don't know anything beyond the info the ISP emailed me which wasn't very comprehensive, so was hoping some of you guys may have comes across this.

Haven't come across it but is it targetting any specific FTP client?