Blackhole Exploit kit

Jan 4, 2013 at 1:31 PM
Edited Jan 4, 2013 at 1:36 PM

Hi All,

I have notice that Lots of WordPress websites had been injected with the code for the Blackhole Exploit kit.

It is similar to this work item:

http://blogengine.codeplex.com/workitem/12173

 

I had just recently had some of my BlogEngine.net based websites and others having the Blackhole Exploit kit code injected in to my websites.

It put the code at the very end of just about every file on the website.

Even code behind files  like default.aspx.cs

The rest of them are in the javascript files.

I am wondering if anyone else have experience this yet?

To test your website go here:

http://sucuri.net/

It will tell you if your website is infected or not.

Do any body know how to prevent this from happening again?

Or how to protect a website from such an attack?

 

I am thinking of a way to hash all web files and have a way for it to detect if any of the files had been changed.

I think thats one way to detect hacking.

Had any  one done this yet?

 

Thanks,

 

Brian Davis

 

 

 

Coordinator
Jan 4, 2013 at 3:13 PM

I'm not familiar with this exploit, but I'm guessing key here is how files got modified in the first place. I would try have all directories read only, probably moved to DB provider if you on XML to have less files to protect. If you have read-only directories and files still get modified, it means exploit works not on app level (not modified by web app). In any case if this is not specific to BE looking at how others deal with this exploit probably might give some clues on how to fix this.

Jul 11, 2013 at 2:15 PM
kbdavis07 wrote:
Hi All, I have notice that Lots of WordPress websites had been injected with the code for the Blackhole Exploit kit. It is similar to this work item: http://blogengine.codeplex.com/workitem/12173   I had just recently had some of my BlogEngine.net based websites and others having the Blackhole Exploit kit code injected in to my websites. It put the code at the very end of just about every file on the website. Even code behind files  like default.aspx.cs The rest of them are in the javascript files. I am wondering if anyone else have experience this yet? To test your website go here: http://sucuri.net/ It will tell you if your website is infected or not. Do any body know how to prevent this from happening again? Or how to protect a website from such an attack?   I am thinking of a way to hash all web files and have a way for it to detect if any of the files had been changed. I think thats one way to detect hacking. Had any  one done this yet?   Thanks,   Brian Davis      
I have found similar problem solution with hacker ninja, it's free online scanner for wordpress and joomla websites. Please have a look.