Abstract
Drive-by infections can strike any Windows user, but when the victim is a Web site admin, the results can be dramatic. In this case study, Andrew Brandt and Zachary Wolff from Webroot analyse the malicious activity that impacts a small Web site from the time an unknown third party obtains a stolen FTP password, through a massive infection of files on the Web server with the so-called Gumblar worm, until the Web site is cleaned up, and provide helpful advice to prevent this happening to you. Early in the morning of January 8th, something very wrong was happening on Ryan Burghard's web server. Beginning at precisely 5:51am, and continuing for the better part of the next 14 hours, something or someone began using Burghard's FTP credentials to connect to the web server and modify hundreds of HTML files, PHP scripts, and JavaScript files on the server; By the time the process was complete, a 1131-byte block of highly obfuscated JavaScript code had been appended to 1675 files. But that was only the beginning of Burghard's problems.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
