Tuesday, May 26, 2009

Dealing with the Gumblar virus

As the administrator of my website I occasionally have to deal with such issues as worms, viruses, and other nasty stuff. My site is relatively simple and plain, by design (although I admit it could use a little pizazz).

Over the Memorial Day weekend I discovered that my site had been infected. Some bad code had been written into my main index.htm file. After a few hours of investigation I found that my main PC had been infected and this allowed the "bad guys" to get into my website and alter my files, with the intention of spreading their badness around to anyone who visited my site.

For those who are interested here are the gory details, as best as I know them:

  • My PC was infected by some malware (i.e. "bad software") that stole the passwords to my FTP account

  • I use a free FTP program (Filezilla) that actually stores passwords in a plain text file on the hard drive. This is a very nice FTP program, but the password storage makes it ridiculously easy for a rogue program to steal the passwords (see this link)

  • The rogue program installed a scheduled task that seems to grab the password(s) and send them to the "bad guys". They would then occasionally log into my account, and modify my files.


This virus is loosely known as the Gumblar virus. A web search will quickly reveal how serious of a problem it is.

I have cleaned my machine, changed my passwords, deleted the scheduled task, and uninstalled Filezilla. I hope I have this thing licked, but until a few weeks pass without an incident I'll be keenly aware of what is going on.

Let me know if you want more information about my experience.

No comments: