Most of the gumblar/martuz infections, are done by sniffing the computer that usually connects to it, for FTP etc passwords (which also means you'll need to check your machine), for details, please refer to;
http://www.malwaredomainlist.com/forums/index.php?topic=2892.msg9833#msg9833http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/One of the samples we've seen, have shown it to create both a _.exe and e.bat file (amongst other things) in the root of the infected machine (usually C:\), so it will be worth checking your machine for signs of this infection. For details, please see;
http://www.threatexpert.com/report.aspx?md5=2131112053ed144c46277b9024bcf39fAs far as prevention of this happening again, there are a couple of things you can do;
1. Change your FTP password (I know you've done that already, but I suggest doing it frequently (at least weekly))
2. DO NOT use regular FTP as passwords are sent in plain text - use sFTP (Secure FTP) instead if your host allows it
3. Backup your site frequently - this way, if it does happen again, you can just delete the current files, and restore the backup (again, the backup should be stored in a secure location)
4. Keep your computer up to date (e.g. install Windows patches and such) - not guaranteed to prevent it, but will help
5. Install a firewall on your local computer (this will also help prevent infections sending out your data - again not a guarantee, but will help)
Finally, and most importantly - keep WordPress (and any plugins you have installed) up to date - this will help prevent infections occuring via SQL injection etc.
Again however, none of the above will guarantee to prevent this occuring again - there are no guarantees when it comes to this type of thing unfortunately.
As for how I became knowledgeable, I'm self taught
(you'll usually find this is the same for the vast majority of people)
Topic: [SPLIT] garethplu (Read 38978 times)
