Home page > Scripts > Security: beware of the Gumblar worm

Security: beware of the Gumblar worm

Wednesday 20 May 2009, by Fil

All the versions of this article: [English] [français]

The Gumblar worm is spreading like fire among websites. Using stolen passwords, it infects many files on web servers, with malicious code that, when executed on another webmaster’s local computer, steals her passwords and thus gets information that enables it to infect more sites.

For more detailed information on this exploit see http://blog.unmaskparasites.com/200... and http://www.martinsecurity.net/2009/....

A trick I use to protect my own servers is the following: in the run-every-minute cron job I usually have, I add the following line:

for i in $(grep -E "(image|index).php" /var/log/xferlog | cut -d' ' -f10 | sort -u); do grep unescape $i 2>/dev/null; done | $twitter

$twitter is a script that sends me a twit.

In other words: whenever a file called index.php or image.php is uploaded by FTP (leaving a trace in /var/log/xferlog), it will be checked for the string "unescape". It that string is present I’ll get twitted within the minute.

Let’s hope I won’t have to see it work!