Thursday, November 5, 2009

Gumblar Crashes WordPress and Joomla Website

An untested version of Gumblar reigns chaos through PHP CMS-driven sites

Independent security researcher Denis Sinegubko has recently stumbled upon a new version of the Gumblar Web botnet that has quite a craving for PHP CMS-driven websites. Mr. Sinegubko has discovered that this latest version (“untested version” as he refers to it) has until now affected more than 300,000 PHP websites, from which about 65,000 running the WordPress blogging platform and 38,000 running the Joomla! CMS.

In his opinion, Gumblar's authors may have unintentionally leaked an untested version on the Web. This latest threat seems to like injecting complex structured PHP sites (regularly referred to as CMSs) like WordPress, Joomla, Drupal, phpBB, vBulletin, Zen Cart, Magento, etc.

The attack works when the botnet manages to acquire FTP credentials to a website. After assuring itself with a backdoor entry for the victim's website, the botnet will open the host's PHP files and add a line of code to the beginning of each file. That line is a PHP declaration containing a 64-base encoded function that will execute other PHP and JavaScript code, which will then try to inject more code into other files.

Source: Softpedia

See also: Gumblar Breaks WordPress blogs and other complex PHP sites

No comments: