Here is a quick little write up on how to to deal with one, of many variations, of the Blackhole Exploit.
If you scan your site using Sucuri SiteCheck and find yourself with a result that looks like this:
Then you are dealing with an infection that is facilitated through the use of the Blackhole Exploit kit, the infection is classified as a Drive-by-Download type infection.
As the type implies, when someone visits a site with this payload, the infection will be initiated on visit and if the conditions are correct it will attempt to download something on your local environment. Hence the classification.
Another option you have, if you feel the site is functioning funny, is to leverage your terminal environment. On UNIX/LINUX based machines you have the option to use CURL as follows:
$ curl -D googlebot www.infectedsite.com
In this instance you’d see this:
Same infection as what was presented in the SiteCheck results.
The Removal Process
In this specific instance the infection was found across all the following files:
This includes the root, theme directory, plugins directory, admin and includes directories. Every one of those directories had an index file and each file was infected, I mention that to show the scope of the infection.
Hunt The Infection
If you have terminal access to the environment you can quickly identify every file infected by running the following:
$ grep -r ‘72.81.840.918.256’ .
If you’re in a rush and your site is very deep, you could also push the results of the grep to a log file versus waiting for it to display and check back later:
$ grep -r ‘72.81.840.918.256’ . > infectedsite-infection
This will create the infectedsite-infection file in the directory you are in. Once you have time you can come back and analyze the output:
$ cat infectedsite-infection
If you don’t have terminal, don’t sweat it, you can often download the entire install to your local environment and run it there too. When you’re satisfied you have found all the offending files simply push it back to your server.
Now Clean it Up
When you’re cleaning, you don’t have to be a coding rockstar, but you want to be aware of the little things. By little things I mean this:
- If in a PHP file you’re going to need an opening tag, usually looks like this: ‹?php that will then be followed by a closing tag that looks like this ?›
In this instance, this was the most important to keep in mind.
As for the removal, when you look at the results in SiteCheck or your Curl results you see everything fits inside ‹script› and ‹/script›.
There are a few ways to automate the removal, but that won’t be covered here. The easiest way for you is to open the files from the steps above, find the infection, highlight, and delete.
Verify you don’t pick up any of the important characters I mentioned above.
Opening you have a few different options, you can use terminal editors or a local FTP editor (e.g., Codad, notepad, textpad, etc.. ). If you don’t want to mess with any of that, well then good news, simply sign up with us and we’ll take care of it for you.
Any questions or concerns with the post just let us know at firstname.lastname@example.org.