|
Written by Ken Task
|
|
Thursday, 05 November 2009 08:40 |
Depends.
The culprit: Gumblar
A "mistak" in coding of the bot, reveals errors and gives the blogger, webmaster, or moodlemaster a hint that something is not right.
And after reading how Gumblar works am convinced even more that FTP methods of updating code on remote sites needs to go:
"Gumblar installs its buggy code on websites by first running on the desktop and stealing FTP (File Transfer Protocol) login information from its victims and then using those credentials to place malware on the site. Webmasters who suspect that their sites have been infected can follow the detection and removal instructions posted on Sinegubko's blog. Simply changing FTP credentials will not fix the problem, as Gumblar's authors usually install a back-door method of accessing sites."
http://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/
How do you find out if you've been hacked?
On a Linux box:
Create a file called 'checkbase64'
Only one line:
grep -r eval\(base64_decode /var/www/html/*
Save it. chmod u+x checkbase64
Then run it: ./checkbase64
Anything it list has the eval(base64 code in the it's header which indicates you've been hacked.
You can get the script for Linux boxen at:
http://moodle.tcea.org/checkbase64.tar
Wget the tar file directly to your web document root.
Un-tar it: tar xvf checkbase64.tar
then run it: ./checkbase64 [directory_to_check]
NOTE: this will check ALL files in directory given located at web document root and it will take some time to run. BE PATIENT!
IF it exits showing no files, then good for you!
IF it shows files, better check the first url above!
Resource:
http://news.techworld.com/security/3205613/wordpress-sites-hit-by-botnet/?cmpid=TD1N6
|
