Several of my clients' sites got hacked by the gumblar.cn script.



Please clean up the servers using Anti virus software.

Thanks

Someone got into my sites on Bluehost. I told them about it 2 weeks ago. One possible entry was Word Press. I deleted my Word Press blog.

Another entry may be with the wrong permissions set on files and folders - so that was changed.

Then I found out ftp anonmymous (spelled wrong) is CHECKED to let anyone log into your account that way - so I unchecked that.

Had to go through all index.php or index.html or index.htm files as all those were hacked with code routing people elsewhere. Deleted a week ago and it came back!

Went back today and deleted again. Also found another file that they use to infect - the images folder images/image.php -- so I went and deleted all of those.

This virus also infects .js files, html and php files. Very scary.

They can also come in through 3rd party FTP programs after they have infected your computer - so you are not supposed to store your passwords in these now.

I have a Mac with no infection so I believe it may have come from my programmers computer which is a PC. He is now checking all the files, running a scan on his computer, not using a 3rd party FTP program on my site anymore. I have also changed my password.

If all this doesn't get rid of it, I have no idea what else to do!

Here is an article abou the infection and what to do:
http://www.bleuken.com/2009/05/06/removal-and-prevention-of-gumblarcn-infection/

Patrice


I have a Mac an

Telling BlueHost about it isn't going to solve anything since it is YOUR problem and not theirs.

There are only two ways that an account can get infected.
1. You are running an insecure script on your account that is used to break into your account.
2. Your computer is infected and they have got into your account through your own computer.

In both cases it is a matter of your own failure to properly secure those things which are your responsibility.

Very few accounts on BlueHost ever have these problems because BlueHost make sure that each account is kept well isolated so that those people who are not careful enough to keep their own account safe do NOT affect those of use who do.