If you have received an abuse alert via YBOX Patrol alert about infected files / websites in your account or you have identified a malware problem in your website or your website is up and running but not visible in browsers like firefox or chrome or google says, your site may be harmful to visit then read this article carefully,
What could be the problem ?
This could be due to the following reasons;
1. Malicious Files Upload: You have malicious scripts, codes, exes, files uploaded in your website which could be used for defacing your website, websites in your reseller and other sites in the server
MALICIOUS FILES UPLOAD:
In this type malicious shell scripts, rouge programs, domain level exploits, back door scripts are uploaded to your website. Then these scripts are used to deface your website or other sites in your account.
How you get attacked?
If you are using open source cms like joomla, word press etc, then make sure that you are running the latest version of them and also make sure that no folders in these installation are given 777 permission. There is a possibility to inject thro' these vulneralabilities too. There is a possibility to inject these codes in vulnerable php scripts or folders running in your website.
If your desktop is infected, then attacker can gain your ftp login and upload these malicious files. If your cpanel login details are very weak or simple, this might lead to brute force attack using which the login details are gained and used to upload these malicious files.
Due to gumblar attack, your website contents such as pages, java scripts, css, sometimes your database itself might be injected with malicious code or forwarding to a malicious website or filled with junk characters. Because of these infections, visitors visiting your website will either download malware in their system and get affected or get redirected to websites where such malwares are loaded.
How you get attacked?
Gublar attack is due to infections in your system or local lan. Once you are infected with malware, the malware will keep sending the login details of your cpanel, plesk, ftp logins to the remote attacker. Using these details the attacker will then inject malicious code to your web pages. It is also possible to inject malicious code in your webpages using sql injection or due to files/folder which have full write permissions.
If you are using open source cms like joomla, word press etc, then make sure that you are running the latest version of them and also make sure that no folders in these installation are given 777 permission. There is a possibility to inject thro' these vulneralabilities too.
SECURING YOUR WEBSITE
If attacked or infected how to secure my website?
Once you are infected with malicious code in your website, then there is no point in using the same files again. So here are the few steps that you should do if your website is infected with Gumblar Attack malwares;
IMPORTANT : Before starting the below said steps, make sure that your system is secured with fresh os or with proper antivirus and firewall. Because, the whole issue is due to the fact that the local lan or desktop is infected. Hence a new os installation with firewall and anti-virus is recommended.
If you are a reseller:
- If one of your customers domain in your account is infected, then the best way to proceed is to backup the website's content such as email, website contents, database etc.
- Terminate the account
- Re-create the account with different user and password. [ like m*#&hgJK*93SG ]
- Do not upload the same content again. If you have a backup, upload the backup content. Do not upload the downloaded content again.
- If you are able to identify the injected code and thoroughly check your web page for any infection or malicious code injection and then upload.
- If you are using any open source cms such as joomla or wordpress etc, please make sure that your are using the latest stable version of the software.
- Do not give any folder or file with permission more than 755 in the server
- Reset the password of your reseller account as well as all the accounts in your control for safety reasons
- Always use https:// when you access control panel or webmail etc.