The latest botnet attack named Gumblar has been attacking the Internet for a few weeks. ScanSafe named this attack Gumblar because it functions out of the website gumblar.cn. Researchers and security experts believe Gumblar infects a site through the FTP. Weak passwords, poor permissions, etc. open the doors to the Gumblar Trojan.

First thing to do if you suspect your site has been compromised is to check it. There are numerous ways of doing this, you could use Google Chrome and go through your site, you could do a search for pieces of Gumblar code, or you can use a utility such as Malwarebytes.

Code injected into a site can be small (a few lines of code) or can be a varietiable War and Peace. The code to search for is (function(  and .replace(. The code is normally found before <body> tags in HTML code or at the end of a .JS file. The code, so far, only compromises HTML, JS, and PHP files.

Now that you found it, the next step is up to you. You can opt to remove all the code or you can lockdown your FTP first. This really depends on what your site does. If it has a lot of traffic then I would suggest removal first then lockdown. Getting that code off of your site so it doesn’t affect your audience is a top priority.

To do this you could use third party software or you can do it by hand. Personally, I always go for by hand since I know that I will find all iterations of the problem. Using the search method, you can comb through your files quickly, deleting all of the Gumblar code. Also you should delete any folder that has only image.php files in them.

Locking the site down starts with changing the FTP password. Make sure the new one is long, and filled with characters, numbers, letters, etc. Once that is done look through folder and file permissions, if you site requires that some files/folders need write permissions that is fine but make sure only those things have them.

Gumblar’s rate of infection has grown by 188% over the last week, but with a little effort, your site can keep from becoming a statistic.