How to Protect Your Sites from the Gumblar Botnet


The latest botnet attack named Gumblar has been attacking the Internet for a few weeks. ScanSafe named this attack Gumblar because it functions out of the website Researchers and security experts believe Gumblar infects a site through the FTP. Weak passwords, poor permissions, etc. open the doors to the Gumblar Trojan.

First thing to do if you suspect your site has been compromised is to check it. There are numerous ways of doing this, you could use Google Chrome and go through your site, you could do a search for pieces of Gumblar code, or you can use a utility such as Malwarebytes.

Code injected into a site can be small (a few lines of code) or can be a varietiable War and Peace. The code to search for is (function(  and .replace(. The code is normally found before <body> tags in HTML code or at the end of a .JS file. The code, so far, only compromises HTML, JS, and PHP files.

Now that you found it, the next step is up to you. You can opt to remove all the code or you can lockdown your FTP first. This really depends on what your site does. If it has a lot of traffic then I would suggest removal first then lockdown. Getting that code off of your site so it doesn’t affect your audience is a top priority.

To do this you could use third party software or you can do it by hand. Personally, I always go for by hand since I know that I will find all iterations of the problem. Using the search method, you can comb through your files quickly, deleting all of the Gumblar code. Also you should delete any folder that has only image.php files in them.

Locking the site down starts with changing the FTP password. Make sure the new one is long, and filled with characters, numbers, letters, etc. Once that is done look through folder and file permissions, if you site requires that some files/folders need write permissions that is fine but make sure only those things have them.

Gumblar’s rate of infection has grown by 188% over the last week, but with a little effort, your site can keep from becoming a statistic.

Categories : Commentary


  1. […] your FTP client so it doesn’t save the passwords, and (2) change the passwords. Also, this article explains how to determine if your website is infected and lists methods to remove the malicious […]

About Us

WebHostBlog comes from the creators and former staff of WebHostBlog has been a source for Web hosting information and marketing tips since 2003. Along with news and information on the Web hosting industry has covered topics such as business strategy and marketing and continues to be a quality resource for host related subjects. Read More

Contact Us

We work long hours, however we are always interested in hearing what you have to say. So if you have any ideas, comments, questions, death threats, or have a business proposal let us know!

For information on getting a hold of us, you can find our contact information on our Contact Us page

Special Thanks

Our staff has been working with Web Hosts and Web Host finders and news and information sites for over 20 years now and on behalf of those who knew us at The Ultimate Web Host list, Web Host Directory, Web Host Magazine, Web Host Blog and other sites, we'd like to say thank you for helping to build this amazing industry. And we'd like to give a special thanks to many of you who have contributed to these pages, and to Web Host Magazine when we owned and ran it for 14 years. Thanks for your help and advice!
. . . . .