Watch Out For The Gumblar Botnet

November 6th, 2009
WordPress Security

According to the blog Unmask Parasites, there is a new version of the Gumblar botnet making the rounds on PHP based websites. Back in May of this year, this malicious botnet was responsible for infecting a large number of websites in a short period of time. This time around however, the Gumblar botnet has buggy code which is leading to a number of infected WordPress sites breaking.

WordPress is a complex web application that comprises more than 200 .php files. When you open any page, WordPress loads index.php which, in turn, loads many other .php files using the require() function. WordPress admin interface also relies on multiple .php files. In all cases, WordPress loads wp-config.php file which contains database credentials and other important information required for normal operation.

So what happens if both index.php and wp-config.php are infected with the gumblar backdoor scripts? Since Gumblar injects identical backdoor scripts into files on the same site, they’ll have declarations of identically named functions, which PHP doesn’t allow. Hence the “cannot redeclare zsmh() …” error.

One thing not mentioned in the Unmasked Parasites post is information regarding which specific versions of WordPress are at risk or are safe to use. I’ve left a comment on the blog post to try and get an answer but until then, Denis Sinegubko provides detection and removal instructions while also suggesting the use of the WordPress Exploit Scanner which scans for WordPress files for signs of suspicious activity.

Based on the reports of infection, this does not appear to be a WordPress centric issue pointing to a problem with the software.




  1. Denis (1 comments.) says:

    I copy my answer to Jeff’s question from my blog:
    They don’t specifically target WordPress. They infect any PHP driven websites.

    However, the PHP code they inject into existing files doesn’t take into account complex WordPress architecture, which leads to “redeclaration errors” and breaks compromised blogs.

    So any version of WordPress can be broken. Just like any other complex PHP sites (i.e. Joomla, Drupal, phpBB, etc.)

    In this attack, hackers use FTP credentials stolen from computers of webmaster, so WordPress itself is not to blame.

  2. Jason Diehl (1 comments.) says:

    I work technical support for a good sized hosting company, and stolen FTP credentials are the number one way that accounts are being broken into this year. The methods that malicious people are gaining FTP credentials seem to be two pronged.

    1) Website owners using easy to guess passwords. You can whine all you want about a hard password being hard to remember, but let me guess you are whining about your site getting attacked too. Passwords like “letmein” or dictionary words like “coyote” are a big hit for some reason.

    2) The next one is connecting to your website via FTP using a compromised computer. This one appears to be the most popular this year. Spyware, and malware on your computer monitors outgoing connections and snoops those passwords being sent in plain text. The fix for this one is easy, don’t use FTP use sFTP if possible. sFTP is encrypted, encrypted is good. If you don’t have sFTP available to you just make sure your computer is clean and safe.

    Hope this helps at least one person out there. Your websites are a target, and more than likely you are it’s weakest link, stay smart, stay safe.

  3. Gary Sims (2 comments.) says:

    Thanks for the heads up everyone… Gary

  4. bubazoo (213 comments.) says:

    For those who whine about having to remember stronger passwords,
    check out either Password Agent (by moon software) or Keepass password safe. Both of these programs keep an encrypted database of userid’s and passwords that you have for different sites.

    There’s also roboform, but don’t even mess with that, unless your brand new to the internet and never signed up for a site before, roboform won’t be of any use to you. besides, there are better alternatives, like those I mentioned above.

    Like a number of people have said to me over the years, keep all your userid and passwords DIFFERENT from one another. For instance, make sure your mysql database for WP userid/password is different from your WP admin userid and password, and your CPanel userid/password different then the other two. Even if you have 3-4+ different userid-passwords, just for wordpress, and more just for your website, the chances of your website being hacked into, are much slimmer. Keep the hackers on their toes, thats what I always say. lol


  1. […] Watch Out For The Gumblar Botnet – A note to my WordPress kinfolk … […]

Obviously Powered by WordPress. © 2003-2013

page counter