Marc J
22-05-2009, 08:57 PM
I've recently sent out an email to all my hosting clients regarding the recent surge in viruses / malware intent on stealing FTP access and thus installing malicious code on any websites under the control of infected machines.
I've copied it here as it contains some (I hope) useful information and general security tips. Any references to hosting account instructions are for my hosting clients but as most hosts use cPanel or similar the advice is probably good for everyone, so I've left it in (plus saves me editing it all out).
--------------------------------------------------------------------------
Hi,
Due to a recent rise in the amount of viruses / malware intent on stealing FTP details for any websites under the control of infected machines (the most well-known recently being "Gumblar" or variants of it), I thought I would send out a quick email to all hosting clients with advice on how to stay protected, and best practices to use just in case!
General Security Advice
1) Windows Update - Keep Windows up-to-date regularly (http://windowsupdate.microsoft.com/). If you don't want to have Automatic Updates turned on, manually update Windows on a regular basis and install any high priority updates available, especially security-related ones.
2) Anti-Virus - Install Anti-Virus software and keep it up-to-date, doing regular scans. An example of free anti-virus software is AVG Free (http://free.avg.com/). My personal recommendation would be ESET NOD32 Antivirus or ESET Smart Security (http://www.eset.com/products/index.php) with prices of £29.31 and £39.10 respectively for a Home Edition License (per year).
3) Install Spybot S&D (available free from http://www.safer-networking.org/)and keep it up-to-date with regular scans.
4) Install SpywareBlaster (available free from http://www.javacoolsoftware.com/spywareblaster.html) and keep it up-to-date.
5) Install Malwarebytes' Anti-Malware (available free from http://www.malwarebytes.org/) and keep it up-to-date, doing regular scans.
6) Install Secunia PSI (Personal Software Inspector) availble free from http://secunia.com/vulnerability_scanning/personal/. This will scan your system and alert you to any out-of-date or unpatched vulnerable software installed on your PC and recommend any action required.
Advice specific to FTP stealing viruses - Gumblar et al.
Gumblar works by installing itself on your PC when you visit an infected website. It targets vulnerabilities in older versions of Adobe Acrobat Reader and Adobe Flash Player.
Once installed on your PC it blocks CuteFTP (popular FTP software) from web access, and also blocks common antivirus software updates. It also monitors all internet browser traffic (which could include usernames and passwords). It also steals unencrypted FTP site information (address, username, password) from the config files of any installation of FileZilla (popular free FTP software) it finds - the reason it blocks CuteFTP's internet access is an attempt to get any users of that FTP software to switch to FileZilla. It also monitors internet traffic to any ftp:// address and / or data sent through port 21 (the port used for FTP).
Once it has FTP details for any sites you maintain from the infected PC, it logs in and injects malicious code into any (and probably all) files with .html, .htm, .php and .js extensions. It may also alter any .htaccess file(s) and upload scripts to any image(s) folder(s) it finds. Your website will now be infecting any unprotected visitors.
An infected PC will typically be running a little slower than normal, with Internet Explorer perhaps being particularly sluggish or hanging. Gumblar's ultimate goal (as understood at the moment) is to redirect Google searches to other websites, which may be infected with other viruses or simply be earning the referrer a fee for directing traffic there. This redirection may be the only indication that you are be infected.
If you think you are infected, the first thing you should do is log in to your account from a know clean computer and change the main account password and any FTP account passwords. If you do not have a known clean computer contact myself and I will change your password(s) for you. Then restore any infected files from a known good backup as soon as you can.
Recommendations: -
1) See 1 - 6 of the General Security Advice above.
2) Update Adobe Acrobat Reader and Adobe Flash Player to the latest versions. First uninstall any old installed verions, reboot, then install the latest versions from http://get.adobe.com/reader/ and http://get.adobe.com/flashplayer/. In Adobe Acrobat Reader disable Javascript my going to File ---> Preferences ---> Javascript and unticking the "Enable Acrobat Javascript" box.
3) Unless you specifically need to upload files above the public_html folder do NOT FTP using the main account password. The account main FTP login logs in above the public_html folder of your account and any malicious login at this level can cause major problems with not only your published website but also email, settings, stats etc.. Instead log into cPanel (www.yourdomain.com/cPanel) and create an FTP account with restricted access, for example [email protected] which access to /public_html. Log in with this restricted FTP account whenever you make changes to your site. If your logins are ever compromised it will be these restricted details which will be compromised, lessening any impact and making cleaning up easier.
4) For additional security disable FTP logins for your site altogether, and enable it only when you need to make changes to your site (disabling it again once you're finished). This means an extra step when you need to FTP to your site, but gives an added level of security. This can be done in cPanel's "FTP Access" icon.
NOTE: Regular automatic account backups are taken but these should not be relied upon. You should always keep your own local backups of your site(s). Account backups are typically taken overnight but are normally only held for a maximum of 24 hours then overwritten. If you need anything restored from an account backup just ask and this will be done.
Again, the reason for this email is simply to raise awareness of the rise in FTP stealing viruses / malware. Gumblar is not the first but is by far the most "successful" and well-known. Following the advice in this email should help protect you from infection, and minimise any impact if you do become infected.
Some links with more information: -
http://uk.news.yahoo.com/16/20090515/ttc-gumblar-attack-explodes-across-the-w-6315470.html
http://www.internetnews.com/security/article.php/3821151/Gumblar+Biggest+Threat+on+the+Web+Today.htm
http://www.securitypronews.com/insiderreports/insider/spn-49-20090521GumblarBackdoorsTheInternet.html
http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html
http://www.unmaskparasites.com/security-report/ <--- tool to check pages for infection (in development).
Finally, if someone else updates your website for you, you should forward this email to them as well.
--------------------------------------------------------------------------
*Stands back and waits to see how many post "I'm OK I use a Mac"*
I've copied it here as it contains some (I hope) useful information and general security tips. Any references to hosting account instructions are for my hosting clients but as most hosts use cPanel or similar the advice is probably good for everyone, so I've left it in (plus saves me editing it all out).
--------------------------------------------------------------------------
Hi,
Due to a recent rise in the amount of viruses / malware intent on stealing FTP details for any websites under the control of infected machines (the most well-known recently being "Gumblar" or variants of it), I thought I would send out a quick email to all hosting clients with advice on how to stay protected, and best practices to use just in case!
General Security Advice
1) Windows Update - Keep Windows up-to-date regularly (http://windowsupdate.microsoft.com/). If you don't want to have Automatic Updates turned on, manually update Windows on a regular basis and install any high priority updates available, especially security-related ones.
2) Anti-Virus - Install Anti-Virus software and keep it up-to-date, doing regular scans. An example of free anti-virus software is AVG Free (http://free.avg.com/). My personal recommendation would be ESET NOD32 Antivirus or ESET Smart Security (http://www.eset.com/products/index.php) with prices of £29.31 and £39.10 respectively for a Home Edition License (per year).
3) Install Spybot S&D (available free from http://www.safer-networking.org/)and keep it up-to-date with regular scans.
4) Install SpywareBlaster (available free from http://www.javacoolsoftware.com/spywareblaster.html) and keep it up-to-date.
5) Install Malwarebytes' Anti-Malware (available free from http://www.malwarebytes.org/) and keep it up-to-date, doing regular scans.
6) Install Secunia PSI (Personal Software Inspector) availble free from http://secunia.com/vulnerability_scanning/personal/. This will scan your system and alert you to any out-of-date or unpatched vulnerable software installed on your PC and recommend any action required.
Advice specific to FTP stealing viruses - Gumblar et al.
Gumblar works by installing itself on your PC when you visit an infected website. It targets vulnerabilities in older versions of Adobe Acrobat Reader and Adobe Flash Player.
Once installed on your PC it blocks CuteFTP (popular FTP software) from web access, and also blocks common antivirus software updates. It also monitors all internet browser traffic (which could include usernames and passwords). It also steals unencrypted FTP site information (address, username, password) from the config files of any installation of FileZilla (popular free FTP software) it finds - the reason it blocks CuteFTP's internet access is an attempt to get any users of that FTP software to switch to FileZilla. It also monitors internet traffic to any ftp:// address and / or data sent through port 21 (the port used for FTP).
Once it has FTP details for any sites you maintain from the infected PC, it logs in and injects malicious code into any (and probably all) files with .html, .htm, .php and .js extensions. It may also alter any .htaccess file(s) and upload scripts to any image(s) folder(s) it finds. Your website will now be infecting any unprotected visitors.
An infected PC will typically be running a little slower than normal, with Internet Explorer perhaps being particularly sluggish or hanging. Gumblar's ultimate goal (as understood at the moment) is to redirect Google searches to other websites, which may be infected with other viruses or simply be earning the referrer a fee for directing traffic there. This redirection may be the only indication that you are be infected.
If you think you are infected, the first thing you should do is log in to your account from a know clean computer and change the main account password and any FTP account passwords. If you do not have a known clean computer contact myself and I will change your password(s) for you. Then restore any infected files from a known good backup as soon as you can.
Recommendations: -
1) See 1 - 6 of the General Security Advice above.
2) Update Adobe Acrobat Reader and Adobe Flash Player to the latest versions. First uninstall any old installed verions, reboot, then install the latest versions from http://get.adobe.com/reader/ and http://get.adobe.com/flashplayer/. In Adobe Acrobat Reader disable Javascript my going to File ---> Preferences ---> Javascript and unticking the "Enable Acrobat Javascript" box.
3) Unless you specifically need to upload files above the public_html folder do NOT FTP using the main account password. The account main FTP login logs in above the public_html folder of your account and any malicious login at this level can cause major problems with not only your published website but also email, settings, stats etc.. Instead log into cPanel (www.yourdomain.com/cPanel) and create an FTP account with restricted access, for example [email protected] which access to /public_html. Log in with this restricted FTP account whenever you make changes to your site. If your logins are ever compromised it will be these restricted details which will be compromised, lessening any impact and making cleaning up easier.
4) For additional security disable FTP logins for your site altogether, and enable it only when you need to make changes to your site (disabling it again once you're finished). This means an extra step when you need to FTP to your site, but gives an added level of security. This can be done in cPanel's "FTP Access" icon.
NOTE: Regular automatic account backups are taken but these should not be relied upon. You should always keep your own local backups of your site(s). Account backups are typically taken overnight but are normally only held for a maximum of 24 hours then overwritten. If you need anything restored from an account backup just ask and this will be done.
Again, the reason for this email is simply to raise awareness of the rise in FTP stealing viruses / malware. Gumblar is not the first but is by far the most "successful" and well-known. Following the advice in this email should help protect you from infection, and minimise any impact if you do become infected.
Some links with more information: -
http://uk.news.yahoo.com/16/20090515/ttc-gumblar-attack-explodes-across-the-w-6315470.html
http://www.internetnews.com/security/article.php/3821151/Gumblar+Biggest+Threat+on+the+Web+Today.htm
http://www.securitypronews.com/insiderreports/insider/spn-49-20090521GumblarBackdoorsTheInternet.html
http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html
http://www.unmaskparasites.com/security-report/ <--- tool to check pages for infection (in development).
Finally, if someone else updates your website for you, you should forward this email to them as well.
--------------------------------------------------------------------------
*Stands back and waits to see how many post "I'm OK I use a Mac"*