Gumblar.cn exploit is usually injected right before the tag and when the script is executed (every time someone visits the infected web page), another script from “gumblar . cn/rss/” is silently loaded and executed.
Incidentally, 95% of the sites infected by this exploit uses PHP (bangaloretelecom too).
Update: 1. The payload sits silently and then sends a payload containing a PDF, and several other mime-types which could launch a windows application with a security hole and then look for stored passwords and other sensitive information. I am not aware whether it compromises data on the server as well.
2. Also, if you reload the same page, you may not see the script the second time (probably it does something through the PHP session)
No comments:
Post a Comment