dflow Posted May 18, 2009 Share Posted May 18, 2009 I searched the forum for gumblar no results so first I thought I'll alert those who haven't heard this Trojan install php redirects and js code ruins image files now a question for whom that did hear, any quality remove tool you recommend? Quote Link to comment https://forums.phpfreaks.com/topic/158531-gumblar-php-hijack/ Share on other sites More sharing options...
MadTechie Posted May 18, 2009 Share Posted May 18, 2009 Use notepad++ STEPS: 1) If possible, turn off FTP and Web Services 2) In Notepad++, use Ctrl-Shift-F to open the Find in Files dialog. 3) Enter the path to your web site root in the “Look in” box. Uncheck the ‘Match whole word’ box. Check the ‘Use’ box and select ‘Wildcards’. 4) In the ‘Look at these filetypes’ box, enter: *.php; *.js, *.html 5) Perform the following searches. This is a good chance to review the results before switch to to ‘Replace in Files’ mode and doing a ‘Replace All’. SEARCH #1:<script language=javascript><!–*\n*\n*<body> REPLACE WITH: <body> Run this search several times, until no results are found (some files may have multiple occurances, and it only removes them one at a time). SEARCH #2: <?php if(!function_exists('tmp_lkojfghx')*tmp_lkojfghx2(); ?> REPLACE WITH: nothing SEARCH #3: <?php eval(base64_decode(*c7')); ?> REPLACE WITh: nothing SEARCH #4: <!–*\n*(function(*.replace(*\n*–> REPLACE WITH: nothing 6) Once the searches are done, find any folders called ‘images’. They should each have an ‘images.php’ file, which should now be empty. Change permissions on these files so that no user can alter or modify them. 7) Change the passwords on any accounts used to access the server by http://FTP. It may also be a good idea to change other admin account passwords, just to be safe. Turn FTP and Web services back on, and then periodically use the searches above to see if the infection returns. EDIT: i got these step from another site.. which i just closed (i'll find the link if needed) i have tweaked it a bit as it had some parse problem and they said use VS but thats money notepad++ is free Quote Link to comment https://forums.phpfreaks.com/topic/158531-gumblar-php-hijack/#findComment-836122 Share on other sites More sharing options...
MadTechie Posted May 18, 2009 Share Posted May 18, 2009 Oh and the best option if to restore from backup, if you don't have a backup then HAHAHAHAHA.. i mean its your own fault Sorry thats my Evil side.. Quote Link to comment https://forums.phpfreaks.com/topic/158531-gumblar-php-hijack/#findComment-836125 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.