Security experts who have studied the recent Gumblar attack that infected thousand of computers and websites tells that the injection of a malicious java script files on websites were executed not only through SQL injection. The infection was reportedly formulate by accessing a web server files by using stolen FTP accounts gathered from an infected computer.

The propagation started when malicious scripts such as HTML_JSREDIR.AE and HTML_REDIR.AC infects a computer and drops a copy of TSPY_KATES.G. It will steal FTP username and password, monitors internet traffic and proceed with the website attack.

By obtaining FTP credentials, attackers can now have accessed similar to what website administators have and can perform necessary modifications on web pages by injecting a malicious java script in it.