The security firm ESET discovered the Mumblehard malware in April 2015, but there is evidence of the malware remaining under the radar for at least the past five years. ESET gave the malware the Mumblehard moniker because it “mutters spam from your servers,” according to the security research firm.
How Mumblehard Works and How to Prevent It from Starting
The Mumblehard malware exploits vulnerabilities in WordPress and Joomla to execute two components written in Perl. The first component is a backdoor that requests commands from the malware’s command and control server, and the second is a spammer daemon that can be launched via a command received by the backdoor.
In addition to exploiting vulnerabilities in WordPress and Joomla, the Mumblehard malware can also be installed through the distribution and installation of backdoored “pirated” versions of a Linux and BSD program called DirectMailer, which is a software tool used for sending out e-mails in bulk.
The Mumblehard malware backdoor is typically installed in the /tmp or /var/tmp directories, and ESET recommends mounting these directories with the noexec option to prevent the Mumblehard backdoor from being able to start. Those concerned with whether Mumblehard is already installed on a server should first look for unsolicited cronjob entries for all users on the server(s) suspected of being infected.