Gumblar Attacks - What are you doing if you are a host?

Have you had any issues with the Gumblar “attacks”?

Here is a article that about the Gumblar Attack that is effecting Linux Servers, specific FTP in spreading this virus/worm.

Here is what one host is sending out to all their Linux customers:

On Monday, we alerted you about hosting packages on our Linux Hosting environment being affected by Gumblar attacks. Over the past few days, we have been investigating these attacks, and working on methods to mitigate damage caused by them; this mail contains our findings and recommendations.

  • Through our investigations, it was confirmed that the infection was not due to any server vulnerability. We enforce stringent security measures to safeguard your data.
  • The attack is perpetrated through stolen FTP login credentials. It transmits FTP information to an IP address from an infected machine.
  • This FTP information is then used to log on to the web server and infect the hosted website.
  • The attack is not limited to ResellerClub's hosting services - so far, thousands of websites across a large number of hosting providers have been infected through this attack.
Given the nature and scope of this attack, it is important that proper security measures be taken at all levels to prevent it. We would like to suggest a few steps that would reduce the vulnerability of your computer and remove existing threats.
  • We recommend you install an antivirus program with the latest updates and ensure removal of any malware, trojans or key loggers on any machine that you use to manage your website's content via FTP.
  • Several free antivirus software like [I]AVG, AntiVir, Malwarebytes[/I] are available for this purpose. Regular virus scans will minimize such threats to a great extent.
  • Once you are confident that you have a clean machine then you should change all FTP passwords.
Here's a summary of steps we have taken so far, and what we need you to do -
  • All websites that were determined to be infected have now been cleared. [LIST]
  • If you find any discrepancy with the content of your website, please inform our support team immediately.
  • [B]We have reset the passwords for all FTP users[/B] across all Linux Hosting Packages.
    • You need to login to your control panel and set new passwords for all FTP users.
    • It is advisable that you set complex passwords and regularly update them for added security.
    • This knowledge base article contains instructions on how to reset your FTP passwords
  • We also recommend that you [B]avoid storing the new FTP passwords directly on the FTP clients[/B]. Variants of this virus have the potential to grab stored passwords on the FTP clients.
  • As intimated in our earlier post, [B]we now support FTP access via SFTP only[/B]. SFTP or Secure FTP will encrypt both commands and data, preventing passwords and sensitive information to be sniffed over the network.
    • This KnowledgeBase article contains more information about SFTP as well as a list of common SFTP clients -
  • We have also enabled net2FTP connections for all packages, so you may use the File Manager within your control panel to manage your content.
    • This knowledge base article contains a guide to net2FTP -