2009 is The Year Of The Gumblar. You might not know the name but I’m sure you’ve experienced it either directly (hopefully not) or indirectly. Have you ever been surfing and come across a page with a big red sign warning against you entering the site? If you have then it’s a good chance that site was hit with Gumblar or one its variants like Nine Ball, Martuz or a host of other weird and wonderful names. If you run a successful online business can you imagine the damage such an attack could do? I actually got hit with it on a personal site I just use for storing photos. But when I thought of the damage it would have done if it had hit HostNexus……it certainly got my attention.
So what is Gumblar and how does it work? These are things EVERY webmaster MUST know! The original Gumblar used a vulnerability in Adobe Acrobat and Flash player but subsequent variants use other exploitable software but all have the same end result. I won’t go into the technicalities of how your computer gets infected but you need to know what it does. Once infected it listens in on any FTP connections and steals the connection information. Usually within minutes the virus uses your FTP account to modify files and insert some nasty code. This code is normally an iframe, javascript or some other code that triggers a malware download from another computer.
The virus will sometimes modify PHP code and insert phpshell scripts which in turn attempt to install the malware that other infected sites connect to to trigger malware downmloads to unsuspecting site visitors. This is a three-pronged nightmare that just grows exponentially. From local computer to FTP account to server infection and the wheel keeps on turning. So what’s the defence?
The virus three-pronged and therefore everyone needs to cover as many of these vulnerabilities as posible.
1) Your Computer – a decent “On-Access” anti-virus program is all you need. When I got infected I was running a cheap AV program that wasn’t On-Access. This simply means the AV program automatically scans anything that is downloaded to your computer or any file that you open on your computer. If your anti-virus just gives you a daily scan you are NOT protected. You could get infected, download some nasty stuff to your computer and proliferate the virus before you even get to your daily scan.
2) FTP over SSL. If you are on a linux server simply choose a connection option in your FTP program that is encrypted or just says “SSL”. All of our shared servers should have this working. If you find it doesn’t please contact Support and we will fix it! With this option your connection info is sent encrypted and not in plain text and the virus cannot sniff it out. We would love to implement this by default (forcing people to use it) but even though we could post about it in a newsletter, on a mail list, on our blog and on our forum we will still get hundreds of tickets asking via their FTP doesn’t work. As awareness grows maybe we will implement slowly.
If you have a dedicated server and would like FTP over SSL activated please contact Support.
Bad news for Windows clients on this front. Our Windows servers don’t currently support FTP over SSL as this is a feature included in the newer Windows 2008 OS with IIS7. It’s a huge change and one that we aren’t quite ready for. But you can still install a decent Anti-Virus program. 
3) Server Infection – this is one area where Windows servers aren’t as vulnerable. The virus uses PHP which needs to be running as a global user such as Apache. PHP on Windows has run under a user’s FTP username as CGI for ages so even if files get infected the virus cannot break out of the user’s home directory. On linux though PHP has ran as Apache for aeons and it’s only with later versions of Plesk that we now have the option to run PHP as CGI or FastCGI. So if you’re on Plesk 9 I encourage you to switch PHP to a Fast CGI application under Web Host Settings for the domain. Some scripts can break with it so if you are not sure please don’t hesitate to contact support and we will advise you. Scripts tend to run faster under Fast CGI too so you are in fact doing yourself a service. 
This year we’ve been dealing with Gumblar related issues almost on a weekly basis. It is very hard to convince someone that the server hasn’t been hacked when their website is showing the Reported Attack Site page. In these cases the issue almost always lies with the user’s computer being infected.
But we have also had cases where the virus has spread through Apache-owned PHP files causing malicious downloads and random page redirects to search results containing a list of infected sites. We can always track down the source but it is very frustrating for us as hosts and our users. In this case a solution would be force every domain using PHP to run as Fast CGI but as with the FTP solution there would be even more fallout. So it’s a balancing tightrope act with a bit of a dodgy safety net. All we can do as hosts is raise our own community’s awareness of this problem that doesn’t seem to be going away any time soon and hope that in the future we can implement more stricter safeguards against this menace.
I just posted this on our blog so feel free to comment there. If you’d prefer to discuss any of this in our forum that would also be most welcome.
