WordPress.org

Forums

Blackhole Exploit Kit: How to remove it? (33 posts)

  1. Borbotron
    Member
    Posted 3 years ago #

    Hello,

    I have several WP websites reported as infected in Opera browser (the only one that detects it). Tested with several online detection tools, the sites appear to be "clean", except for AVG Online Virus Scanner, that reports this sites infected with Blackhole Exploit Kit and Link To Exploit Site.

    I did a thorough search, but I couldn't find any 'official' information on how to remove this infection from WP, only a few users blogging about it, but without any real solutions.

    Is there any proven solution or consensus on what to do with this type of infection?

    Thanks

  2. Patrick Nommensen
    Member
    Posted 3 years ago #

    Have you contacted/informed your web host? Often times they will be able to help significantly.

  3. Borbotron
    Member
    Posted 3 years ago #

    Yes, I've tried, they say it's not an issue with the server but with the script (WordPress). I think I found the malicious code , pasting it here in case someone else has the same problem.

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    I will now try to find in which file is this code generated. I someone else cares to take a look, here's one site.

  4. Borbotron
    Member
    Posted 3 years ago #

    Ok, I found the source of that code, it was generated by:

    /wp-includes/js/comment-reply.js

    Replacing that file the code doesn't appear anymore, but I still don't know if the site is clean, as the only tool that detects the problem is AVG Online Scanner, but it's not an actual scan of the site, it gathers information from users antivirus. I'll try downloading and installing AVG, and post it here when I come to a conclusion.

  5. Patrick Nommensen
    Member
    Posted 3 years ago #

    I just accessed the page before you posted it and got the warning - now I don't anymore so what you did may have fixed it. I'll check again later and let you know. Some of your pages are broken by the way, like this one for example.

  6. Borbotron
    Member
    Posted 3 years ago #

    That's great news, what software was giving you the warning? For now the only one that detected it was the AVG Online Scanner. I'll check the broken structure, maybe it has something to do with the infection, thanks.

  7. If replacing /wp-includes/js/comment-reply.js fixes it, then the odds are your FTP/SSH account has been compromised. Change your passwords for that and verify that your PC isn't infected.

  8. Borbotron
    Member
    Posted 3 years ago #

    @Ipstenu: I did, I had a TDSS infection, removed it with help from UNITE, and changed passwords already.

    What I don't know is if I got infected from the sites or viceversa. I started suspecting my system after discovering malware in one of the sites. Problem is, I haven't found yet any online tool or virus scanner that detects this exploit, apart from the warnings in Opera and AVG Online scanner, that don't provide much information. I downloaded and installed AVG but it doesn't react to the infected sites like the Online version.

    @Patrick Nommensen: When you come back, could you please let me know what tool was that gave you the warning? I'll use it to check the sites, thanks.

    Here's another site Avg Online Virus Scanner reports as having the same issue (blackhole exploit kit), although this one doesn't show the code the other one did, so I'm still looking for the problem, if anyone has any other clue, please let me know, thanks.

  9. ClaytonJames
    Member
    Posted 3 years ago #

    @computacion

    This may seem slightly off topic, but might prove relevant. I had a bit of an issue with tdss on two machines I recently serviced, In both events, it placed a "TDLFS file system" in the boot record. Slipped right by detection by both anitivirus tools on both machines. This tool did a fantastic job of detecting and removing it permanently, and it can be run right from the desktop. http://support.kaspersky.com/faq/?qid=208280684 Be sure to view/change the tools settings, and set it to scan for the TDLFS file system before running, if you decide to recheck your pc for remaining signs of infection.

    The real reason I mention this, is that in both cases of tdss infection, the hosts files on both machines were altered to include redirects to fake Google and fake Bing sites. Two consecutive numeric ip numbers, set to resolve your machine to fake sites every time you used google or bing. I don't know if this is symptomatic of tdss, or the result of secondary payloads, but it's certainly worth investigating. Just something else to check in order to make sure your local machine really is rid of the rootkit components.

  10. mmtrav
    Member
    Posted 3 years ago #

    Hi guys,

    I had the same report from AVG on a site but was not showing anything in the above named JS file.

    /wp-includes/js/comment-reply.js

    So that makes me think that this blackhole exploit kit has a few different forms, to which AVG is reporting everything as 'blackhole exploit kit'.

    My threat was removed when I cleaned suspicious code in my .htaccess file.

    This post has more information on it, and my unique situation: http://www.computerpartsgreenvillesc.com/secrets-of-the-blackhole-exploit-kit-revealed/

  11. Borbotron
    Member
    Posted 3 years ago #

    @ClaytonJames
    I tried TDSS killer without success, only ComboFix found the TDSS infection, my hosts file didn't seem to be altered, but this malware seems to have so many ways of hiding itself, it's really worrying.

    I'm not sure if my infection came from my sites or viceversa. Is there a documented relation between BlackholeExploit Kit and TDSS?

    @mikeyleung
    Yes, I saw that thread (only a hand full useful on the subject), in my case htaccess was clean, glad it worked for you.

    Meanwhile, I still couldn't find a tool (online or offline) to diagnose the infected sites, and even when they all show the same infection, the code is hiding in different places in each blog. It seems the exploit has many mutations OR AVG is reporting different exploits as the same one.

    It'd be extremely important to get a diagnostic tool, as AVG Online Scanner relies on historical user reports, so, it's diagnostics won't change for at least a few days after disinfection.

    What seems to be working for me right now (although I'm not sure as I still don't have a diagnostic tool) is to upgrade or re-install WP, plugins and themes.

  12. A problem is that most of these kits aim at Windows users (i.e. they only infect Windows users) so unix and mac users don't see anything, nor can they easily scan.

    Best thing to do would be to delete all the WP files and re-upload from source.

    Sometimes that easier to do if you put a new version of WP in a subfolder, install everything there and then point that install to your normal database. You can run WP out of a subfolder from then on, unless it's Multisite, where you have a bigger headache.

  13. ClaytonJames
    Member
    Posted 3 years ago #

    @computacion

    Is there a documented relation between BlackholeExploit Kit and TDSS?

    I have not seen anything that would make me believe the two were directly connected in any why. I just wanted you to be aware that TDSS has a hidden 'rootkit' component to it that could sometimes evade detection on your local windows machine. Sounds like you have it under control.

  14. mmtrav
    Member
    Posted 3 years ago #

    @computacion

    I have a few more elements to my story. After fixing my initial .htaccess files I contacted avg on avgthreatlabs@avg.com asking to be whitelisted. They replied that I was still showing malware reports on certain pages of the site and provided me with a CSV file with all the incidents of malware occurrence.

    So, eventually bit the bullet and hired sucuri.net to clean my site for US$90 as its a client site and their users are reporting issues -- bad situation to be in!

    Surprisingly, Sucuri discovered malware hidden in another half dozen files throughout the site, and among files that weren't new to the WordPress installation but modified by a hack exploit.

    Here's the report they gave me:

    The following files were compromised and fixed:
    OK: Hardened upload directory (./wp-content/uploads)
    Found suspicious signature on file: ./wp-content/uploads/2010/11/log.php (CLEARED)
    OK: Removing backdoor from uploads directory: ./wp-content/uploads/2010/11/log.php
    Found backdoor (malware) on file: ./wp-content/blogs.dir/2/files/2011/09/mootools-1.2.1-core.php (CLEARED)
    OK: Hardening ./wp-admin/setup-config.php on WordPress
    Found backdoor (malware) on file: ./wp-includes/feed.php (CLEARED)
    Found backdoor (malware) on file: ./60c002be4170cf563a01e5f33a5ce93e8f538230.php (CLEARED)
    Malware found on file: ./wp-content/themes/canvas-4.4.5/includes/images/flexo.php (CLEARED)
    OK: Removing PHP file (backdoor) from the images directory: ./wp-content/themes/canvas-4.4.5/includes/images/flexo.php (hardening)`

    Please follow these steps to avoid reinfection: http://sucuri.net/kb/after-the-cleanup

    So, hoping that helps you guys. My recommendation is you can afford it, is to purchase a Sucuri maintenance cleaning. Peace of mind is also worth hours of my time! I would have never been able to find these problems so quickly.

  15. Borbotron
    Member
    Posted 3 years ago #

    I did try Sucuri's scanner along with a dozen more online scanners without success, the only tool that discovered the exploit was AVG's.

    I wrote to them asking if they have any tool to diagnose infected sites they could provide for developers, as their desktop version doesn't seem to react to the exploit and the online version is not an actual scan but an historical data sheet, it's been around 10 days and they haven't answered yet.

    I'll update the thread if there's any news, thanks everyone for the feedback, see you!

  16. capanema
    Member
    Posted 3 years ago #

    Hello, computacion!

    I had the same problem with the Blackhole Exploit Kit here.
    Nothing wrong with my .htaccess file.

    Do you have any news?
    Thanks in advance!

  17. Borbotron
    Member
    Posted 2 years ago #

    @capanema

    My .httaccess file was clean too, as you can see in the thread the exploit hides in different places. If .htaccess is OK, replacing and/or upgrading WordPress + plugins seems to work until now.
    ------------------------------------------------------

    For all of us, good news from AVG: They took their time to write back but then they answered very enthusiastically about having a diagnostic tool for webmasters. They said it's a great idea and they will develop a specific panel for us on avgthreatlabs.com

    For what they told me, we'll be able to add the sites we want to monitor and they'll send alerts if there's any suspicious activity. It will be available this summer, so, let's keep an eye on it, as it will probably prove very useful!

  18. calcidon
    Member
    Posted 2 years ago #

    Hi, computacion

    I have the same problem, where do you look for the hack code?
    One of my sites is http://loosefat101.com/

    thanks

    Calcidonio

  19. The standard reply to "help, my site is hacked" remains this reading list.

    Start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/

    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    http://www.studiopress.com/tips/wordpress-site-security.htm

    You need to delouse your installation, lock the doors and windows, and monitor to make sure you remain clean.

    It's not easy and is a lot of work, but the problem is there if you've been compromised like that.

  20. mv5869
    Member
    Posted 2 years ago #

    I am really struggling with this one. The Blackhole exploit has infected all my addon domains at my shared hosting, as as soon as I remove it it reappears.

    Even on non-Wordpress addons it now appears. I've tried everything above but am still being reinfected.

    Has anyone managed to remove it entirely?

  21. Larry2010
    Member
    Posted 2 years ago #

    This might help someone... I had the Blackhole Exploit Kit on my wordpress. A line of code was added to my main index.php and within my theme index.php.

    So, I edited the index.php and removed the hackers code which was posted immediately after the <?php tag and before the rem statements. I then changed permissions to the file to 444 to stop anyone writing to it.

    So far this has cleared the threat. Might not be good advice but it worked for me - so far!

  22. Historia
    Member
    Posted 2 years ago #

    I have the same problem... Blackhole Exploit Kit (type 2324) Any ideas?

  23. Historia
    Member
    Posted 2 years ago #

    web site: ***.org.pl
    status: Site blacklisted, malware not identified
    web trust: Site blacklisted.

    Domain blacklisted on the Opera browser (via AVG): ***.org.pl - reference
    Domain clean by Google Safe Browsing: ***.org.pl - reference
    Domain clean by Norton Safe Web: ***.org.pl - reference
    Domain clean on Phish tank: ***.org.pl - reference
    Domain clean by SiteAdvisor: ***.org.pl - reference
    Domain clean on Sucuri IP/URL malware blacklist: ***.org.pl - reference
    Domain clean by the Sucuri Malware Labs blacklist: ***.org.pl - reference
    Domain clean on Yandex (via Sophos): ***.org.pl - reference

  24. Drew75
    Member
    Posted 2 years ago #

    I'm having the same problem with my WP site now. Google Chrome redirects to a page containing the following information:

    [ Moderator note: If it contains malware, don't share the link. ] contains content from centuriesdamage.info, a site known to distribute malware. Your computer might catch a virus if you visit this site.
    Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
    We have already notified centuriesdamage.info that we found malware on the site. For more about the problems found on centuriesdamage.info, visit the Google Safe Browsing diagnostic page.

    And one of the WP theme tech support guys notified me of this when his AVG picked it up when he tried pulling up the site on his machine. Here's the screen shot he sent me.

    https://solostream.zendesk.com/attachments/token/yb9sjswlkkfxgun/?name=thegalleysink-alert.png

    Should I use one of the above mentioned tools to remove this?

    I've spoken to the host company for my site and they suggested I scan all of my WP files with my anti virus software. I did this and it came out clean. So then (as suggested) I backed up my WP database files with one of the available plugins through the my WP dashboard and scanned the .sql file it created, which also came out as clean.

  25. Should I use one of the above mentioned tools to remove this?

    Not one of the above, read all of them. Yes, really.

    There is no quick fix for a hacked site, no magic pill.

    It's lots of work but needs to be done. If you do not successfully delouse your site, you'll just keep repeating this effort.

  26. Drew75
    Member
    Posted 2 years ago #

    Wonderful. Is this a common problem with WordPress sites? I haven't even made this site live yet. I thought I read somewhere that WordPress sites getting hacked or infected is common and that you should always keep it updated.

  27. juanger
    Member
    Posted 2 years ago #

    I have the same problem on my website. Does anyone can help me find the problem? thanks

    My site:

    http://www.acdc-noticias.com.ar

    The problem:

    http://forums.avg.com/image/freeforum/es/6829/481

  28. esmi
    Forum Moderator
    Posted 2 years ago #

    See the links posted above and, next time, please post your own topic.

  29. juanger
    Member
    Posted 2 years ago #

    Ok thanks

Topic Closed

This topic has been closed to new replies.

About this Topic