Softflare Limited - hosting, domains, design, programming and all associated Internet Services Home Gootkit prevention
Softflare Limited - hosting, domains, design, programming and all associated Internet Services  
Web design, website hosting, domains names, search engine optimisation and much much more
Search the website:
About Us
Our Services
Our Products
Terms & Conditions
Make a payment
Softflare Gift Vouchers!
Site Map
Contact Us

Latest News

Gootkit prevention
SiteFlare v4.3 released
Spammers using images
SiteFlare Prices Slashed!
Google cheat sheet
WindowsXP is dead!

Member of nominet

Member of nominet


Protecting yourself against Gootkit

Recently, we noticed our network losing connectivity / paging down etc.  After rebooting the core switch we noted the traffic coming from one particular server, and we believed there was a "bot" on the server causing perl instances to run and flooding traffic onto the net. We've noticed the scripts in multiple domains and acted according to our security policies. It appears our servers (along with hundreds of other across the world) have been targeted by systematic a DoS (Denial of Service) attack called Gootkit which is, essentially, a trojan horse. The Gootkit connects to Web servers using stolen FTP/MySql credentials, and if successful, modifies any HTML and PHP files with extra code. The Gootkit host searches thousands of PCs to look for server passwords, mail passwords, unencrypted FTP and MySql passwords which it then uses to compromise the target server. Some of the websites on that server are then used, by injecting arbitrary JavaScript code into website pages, to infect site visitors' computers and to attack targeted organisations.

What this means is that Gootkit can strike you in a couple of different ways, either by infecting your PC or attacking your website. The mitigations for both attacks are quite different but I want to talk to you about protecting your users' PCs against Gootkit:

  • Donít install Ė or even run Ė anything from an untrusted source. This includes directly off websites, files received by email and especially USB sticks you find lying around in the car park!
  • If files or links are sent from a trustworthy source but appear out of character, validate their authenticity with the sender before doing anything with them. If it's unusual, you probably want to approach it with caution.
  • Always run a virus checker and always keep the definitions up to date. You can do this for free on Windows with Microsoft Security Essentials or Avast! or AVG, or you can pay for the likes of McAfee, Norton, Kaspersky, etc.
  • Use a firewall. This may consist of features built into the tools above, the native Windows Firewall, the firewall features of your router, or a combination of each. The point is that you donít want traffic coming in or going out over any old port or protocol.
  • Backup, Backup, Backup! Do them frequently and preferably do them offsite with a service that can also version the files so you can roll back if your valuable docs get corrupted. We recommend using the offsite storage solution provided by AAHPC. Please read our policy here regarding your responsibilities towards your data held on our servers.

Protecting your website against Gootkit. This should (hopefully) go without saying, but weak passwords and / or poor storage mechanisms for them leaves you very vulnerable. If your PC does become infected itís not going to be a hard task to locate plain text passwords on the file system and have them extracted and sent off to the botnet controller.

Use a good password manager and ensure your passwords aren't memorable. But of course this isn't fool proof Ė key loggers combined with the ability to retrieve the keychain can upset the applecart very quickly but itís a lot better than storing them in a Word doc or Outlook notes.

This last point should also go without saying, but clearly the very first thing you want to do if your website is compromised is change any passwords related to the site as an absolute matter of priority. Donít even bother to start fixing things if that door is still open. We have changed the passwords to all of the website FTP accounts known to have been compromised and to some that we suspect may have been.

We recommend you check your FTP accounts and if you find you no longer have access, contact us below for your new password, including a mobile phone number which we can use to SMS you the new password. Please note, we will not email you the new password.

We all have our part to play in securing our data against Internet attacks. Please take the matter of security seriously to ensure that the next account to be hacked isn't yours.

Anti-Spam code:
AntiSpam codeRefresh the AntiSpam codeCaptcha by Cryptographp
Copy the code:


      © Copyright 1996 - 2018, Softflare Limited
SiteFlare - the Web Site Builder by Softflare Limited.