5

It has come to our attention when scanning some of our hosted server websites that they have been infected with Blackhole Exploit Kit (top dollar hacking program - http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/)

Can someone advise on possible scripts to implement on an Ubuntu 8.04 LTS 64-bit machine to scan and remove these infected files or at least just mention if they have had previous experience with this and what method was used to get rid of the virus?

EDIT:

The information below on wordpress was great, but its not only CMS sites that are infected.

Which of the following would be the best course of action?

Change all the control panel and ftp details?

Run clamAV (with no working heal function) and remove the files per hand all day long?

Shut down the server and update the plesk and ubuntu? (this is a problem as we make use of a homebrew expand server, and expand does not support anything above plesk 9).

Look at the httpd_access_log and identify a certain subnet and block it in iptables?

deanvz
  • 81
  • 1
  • 7
  • You should look at how the files are infected. If the files are infected in exactly the same way, for example, if exactly the same string has been appended to existing files, you might be able to use Linux command line to remove extraneous information from the back of the files. Restoring a backup will only work if you caught the problem before your oldest backup. If the problem exists before then restoring a backup will be useless. – Eugene van der Merwe Jun 13 '12 at 10:12

1 Answers1

5

In cases of malware infection, the best way to eliminate it is to:

  1. Backup everything
  2. Remove everything and do a clean install (as in keep nothing)
  3. Change all passwords and ssh keys.
  4. Check the files you need from your backup, one-by-one.

The process is painful, but is 100% effective.

Install ubuntu server 12.04 since you're reinstalling. :)

UPDATE:

Savvas Radevic
  • 7,693
  • 2
  • 36
  • 47
  • Is there a working solution for this as downtime on this server is something I am considering? It seems that the files were infected due to over permissions on wordpress sites. Is it really needed to do a clean install after sites got infected? But the idea sounds attractive to just do a format/install – deanvz Jun 12 '12 at 15:19
  • well, I've never been infected with this kit personally, but that's what I would do if it happened. If it's only on one site, then take the chance and reinstall only that site. It's a risk you can take. If it's more than 5 sites and the user controlling them has access over system files, I would do a clean install if I were you. It's basically up to the administrator (you?) to decide. More security (and ease of mind) vs. potential threat (and waking up in the middle of the night)? – Savvas Radevic Jun 12 '12 at 15:55
  • It is easy to re-load the sites, but I am suspecting that more sites are infected (different users) so I would like a script to help me identify these problem sites and remove the harm full content and of course as always with scripts to automate this – deanvz Jun 12 '12 at 16:02
  • 1
    That's part 4,painful! :) Reinstall the wordpress core, then do it manually and check each php in the template. Maybe [this](https://code.google.com/p/wpscan/) or [this](https://wordpress.org/extend/plugins/wp-security-scan/) would help? Also here's a guide for [hardening wordpress security](http://www.1stwebdesigner.com/wordpress/security-plugins-wordpress-bulletproof/) - You also have valuable information about blackhole [here](http://www.computerpartsgreenvillesc.com/secrets-of-the-blackhole-exploit-kit-revealed/) -- Lastly, try out the [sucuri scanner](http://sitecheck.sucuri.net/scanner/) – Savvas Radevic Jun 12 '12 at 16:19