This should help locate the files.
Upload it in the root folder and point your webbrowser to it, it will give you a list of all files infected, either "remove the malware code" or replace with original files.
for imgbbb code, you may will need to change the code in the file to search for bbb version instead.
And change your FTP passwords!! that's most likely how they got access to your hosting provider.
fixgumblar.php
Hi Ruilong !
Very nice script. Today I had to handly edit all effected index.php file. Now I use your script scanning my site and I found 2 strange file. clearance.php in root folder and goal.php in admin folder and
.//img/scenes/thumbs/index.php INFECTED!
.//mails/en/index.php INFECTED!
.//mails/es/index.php INFECTED!
.//mails/fr/index.php INFECTED!
.//modules/blockuseronline/index.php INFECTED!
.//fixgumblar.php INFECTED!
. Where and how "they" can edit and write to all index.php files, and maybe only index.php in first or second level in PS ?
My [spam-filter] ask me how our site got infected ?
In my ftp site, I found a folder ".log/name of mysite" in root folder with a hundred strange html. html2 html3, to html7 that I attach here, what are they and what for ?
Thank you.
267.05.2011
I removed the attchment beacause it link to my site !!!!
Gumblar virus/trojan/malware is usually a sign that they have access to your FTP.
so if you detect these changes on your server, CHANGE THE FTP PASSWORD!
Also, scan your local computer for any malware, as it's usually some kind of hack/infection on your local PC that picks up the passwords from your FTP software, like Filezilla for instance.
Atleast this is what I found out about this little bugger when googling on it.
The attack on your system is two steps,
1. They infect your index.php and index.html with the image file, this notifices the people behind this virus that they have access to your site.
2. They modify your .htaccess file, upload a bunch of crap that seems to be used for SEO boosting their own sites.
3. who knows..
Thank you for your reply.
I just changed ftp password but my google index is potential decrease
from 7200 to 2820 or sometime get 4000 something. How can I repair it ?
I asked about folder .log in root folder and admin folder contain with hundred strange files. Will I leave them or remove from my server ? What are they ?
Thank you.
Rakepl
how do I fix this?
Warning
: fread() [
function.fread
]: Length parameter must be greater than 0 in
/homepages/21/d3******/htdocs/file-name***/Store 1.5.3.0/prestashop/fixgumblar.php
on line
18
.//fixgumblar.php INFECTED!