Blackhole Exploit Kit: How to remove it?
I have several WP websites reported as infected in Opera browser (the only one that detects it). Tested with several online detection tools, the sites appear to be “clean”, except for AVG Online Virus Scanner, that reports this sites infected with Blackhole Exploit Kit and Link To Exploit Site.
I did a thorough search, but I couldn’t find any ‘official’ information on how to remove this infection from WP, only a few users blogging about it, but without any real solutions.
Is there any proven solution or consensus on what to do with this type of infection?
Have you contacted/informed your web host? Often times they will be able to help significantly.
Yes, I’ve tried, they say it’s not an issue with the server but with the script (WordPress). I think I found the malicious code , pasting it here in case someone else has the same problem.
[Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]
I will now try to find in which file is this code generated. I someone else cares to take a look, here’s one site.
Ok, I found the source of that code, it was generated by:
Replacing that file the code doesn’t appear anymore, but I still don’t know if the site is clean, as the only tool that detects the problem is AVG Online Scanner, but it’s not an actual scan of the site, it gathers information from users antivirus. I’ll try downloading and installing AVG, and post it here when I come to a conclusion.
I just accessed the page before you posted it and got the warning – now I don’t anymore so what you did may have fixed it. I’ll check again later and let you know. Some of your pages are broken by the way, like this one for example.
That’s great news, what software was giving you the warning? For now the only one that detected it was the AVG Online Scanner. I’ll check the broken structure, maybe it has something to do with the infection, thanks.
If replacing /wp-includes/js/comment-reply.js fixes it, then the odds are your FTP/SSH account has been compromised. Change your passwords for that and verify that your PC isn’t infected.
What I don’t know is if I got infected from the sites or viceversa. I started suspecting my system after discovering malware in one of the sites. Problem is, I haven’t found yet any online tool or virus scanner that detects this exploit, apart from the warnings in Opera and AVG Online scanner, that don’t provide much information. I downloaded and installed AVG but it doesn’t react to the infected sites like the Online version.
@patrick Nommensen: When you come back, could you please let me know what tool was that gave you the warning? I’ll use it to check the sites, thanks.
Here’s another site Avg Online Virus Scanner reports as having the same issue (blackhole exploit kit), although this one doesn’t show the code the other one did, so I’m still looking for the problem, if anyone has any other clue, please let me know, thanks.
This may seem slightly off topic, but might prove relevant. I had a bit of an issue with tdss on two machines I recently serviced, In both events, it placed a “TDLFS file system” in the boot record. Slipped right by detection by both anitivirus tools on both machines. This tool did a fantastic job of detecting and removing it permanently, and it can be run right from the desktop. http://support.kaspersky.com/faq/?qid=208280684 Be sure to view/change the tools settings, and set it to scan for the TDLFS file system before running, if you decide to recheck your pc for remaining signs of infection.
The real reason I mention this, is that in both cases of tdss infection, the hosts files on both machines were altered to include redirects to fake Google and fake Bing sites. Two consecutive numeric ip numbers, set to resolve your machine to fake sites every time you used google or bing. I don’t know if this is symptomatic of tdss, or the result of secondary payloads, but it’s certainly worth investigating. Just something else to check in order to make sure your local machine really is rid of the rootkit components.
I had the same report from AVG on a site but was not showing anything in the above named JS file.
So that makes me think that this blackhole exploit kit has a few different forms, to which AVG is reporting everything as ‘blackhole exploit kit’.
My threat was removed when I cleaned suspicious code in my .htaccess file.
This post has more information on it, and my unique situation: http://www.computerpartsgreenvillesc.com/secrets-of-the-blackhole-exploit-kit-revealed/
I tried TDSS killer without success, only ComboFix found the TDSS infection, my hosts file didn’t seem to be altered, but this malware seems to have so many ways of hiding itself, it’s really worrying.
I’m not sure if my infection came from my sites or viceversa. Is there a documented relation between BlackholeExploit Kit and TDSS?
Yes, I saw that thread (only a hand full useful on the subject), in my case htaccess was clean, glad it worked for you.
Meanwhile, I still couldn’t find a tool (online or offline) to diagnose the infected sites, and even when they all show the same infection, the code is hiding in different places in each blog. It seems the exploit has many mutations OR AVG is reporting different exploits as the same one.
It’d be extremely important to get a diagnostic tool, as AVG Online Scanner relies on historical user reports, so, it’s diagnostics won’t change for at least a few days after disinfection.
What seems to be working for me right now (although I’m not sure as I still don’t have a diagnostic tool) is to upgrade or re-install WP, plugins and themes.
A problem is that most of these kits aim at Windows users (i.e. they only infect Windows users) so unix and mac users don’t see anything, nor can they easily scan.
Best thing to do would be to delete all the WP files and re-upload from source.
Sometimes that easier to do if you put a new version of WP in a subfolder, install everything there and then point that install to your normal database. You can run WP out of a subfolder from then on, unless it’s Multisite, where you have a bigger headache.
Is there a documented relation between BlackholeExploit Kit and TDSS?
I have not seen anything that would make me believe the two were directly connected in any why. I just wanted you to be aware that TDSS has a hidden ‘rootkit’ component to it that could sometimes evade detection on your local windows machine. Sounds like you have it under control.
I have a few more elements to my story. After fixing my initial .htaccess files I contacted avg on firstname.lastname@example.org asking to be whitelisted. They replied that I was still showing malware reports on certain pages of the site and provided me with a CSV file with all the incidents of malware occurrence.
So, eventually bit the bullet and hired sucuri.net to clean my site for US$90 as its a client site and their users are reporting issues — bad situation to be in!
Surprisingly, Sucuri discovered malware hidden in another half dozen files throughout the site, and among files that weren’t new to the WordPress installation but modified by a hack exploit.
Here’s the report they gave me:
The following files were compromised and fixed:
OK: Hardened upload directory (./wp-content/uploads)
Found suspicious signature on file: ./wp-content/uploads/2010/11/log.php (CLEARED)
OK: Removing backdoor from uploads directory: ./wp-content/uploads/2010/11/log.php
Found backdoor (malware) on file: ./wp-content/blogs.dir/2/files/2011/09/mootools-1.2.1-core.php (CLEARED)
OK: Hardening ./wp-admin/setup-config.php on WordPress
Found backdoor (malware) on file: ./wp-includes/feed.php (CLEARED)
Found backdoor (malware) on file: ./60c002be4170cf563a01e5f33a5ce93e8f538230.php (CLEARED)
Malware found on file: ./wp-content/themes/canvas-4.4.5/includes/images/flexo.php (CLEARED)
OK: Removing PHP file (backdoor) from the images directory: ./wp-content/themes/canvas-4.4.5/includes/images/flexo.php (hardening)`
Please follow these steps to avoid reinfection: http://sucuri.net/kb/after-the-cleanup
So, hoping that helps you guys. My recommendation is you can afford it, is to purchase a Sucuri maintenance cleaning. Peace of mind is also worth hours of my time! I would have never been able to find these problems so quickly.
I did try Sucuri’s scanner along with a dozen more online scanners without success, the only tool that discovered the exploit was AVG’s.
I wrote to them asking if they have any tool to diagnose infected sites they could provide for developers, as their desktop version doesn’t seem to react to the exploit and the online version is not an actual scan but an historical data sheet, it’s been around 10 days and they haven’t answered yet.
I’ll update the thread if there’s any news, thanks everyone for the feedback, see you!
- The topic ‘Blackhole Exploit Kit: How to remove it?’ is closed to new replies.