The Gumblar worm is spreading like fire among websites. Using stolen passwords, it infects many files on web servers, with malicious code that, when executed on another webmaster’s local computer, steals her passwords and thus gets information that enables it to infect more sites.
A trick I use to protect my own servers is the following: in the run-every-minute
cron job I usually have, I add the following line:
for i in $(grep -E "(image|index).php" /var/log/xferlog | cut -d' ' -f10 | sort -u); do grep unescape $i 2>/dev/null; done | $twitter
In other words: whenever a file called
image.php is uploaded by FTP (leaving a trace in
/var/log/xferlog), it will be checked for the string "
unescape". It that string is present I’ll get twitted within the minute.
Let’s hope I won’t have to see it work!