Blackhole Exploit Kit removal help

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • YJeXtreme
    New Member
    • Mar 2011
    • 19
    • 4.1.x

    [Forum] Blackhole Exploit Kit removal help

    My site has been hit with a virus/blackhole exploit, and I'm having troubles removing it...

    AVG pops up on any/every page, with

    Click image for larger version

Name:	Avgalert.jpg
Views:	1
Size:	20.3 KB
ID:	3722361

    I've searched here, and found where someone stated their templates were hacked, I searched all templates, none were modified, I did find where there was a "commons.php" file added in, which has since been removed.

    Plugins I'm running are:
    Navtab menu for Gallery
    Picture and Album Gallery
    vBH - Add new tabs 1.2
    VSa - Paypal Donate

    I did look through my control panel logs and saw back in Oct the plugins.php was modified by a foreign IP, but this file was since replaced when I updated from 4.1.2 to 4.1.7 (yes i was very late on updating, so essentially my fault for the hack)

    Any help on fixing this? I have database backups from pre Hack... should I create a new DB and restore the backup to it? Any help is appreciated!
    YJeXtreme
    Founder StarCityCrawlers
    [email protected]
    http://www.scc4x4.com
  • Cowboysfan
    Member
    • Nov 2004
    • 88
    • 4.2.X

    #2
    I hope the experience that I have been going through helps you. I had this same exploit error being reported, and ultimately had more types of errors, depending on the AV program a member was using.

    First, change you ftp password, and your root password if it is your server or a vps.

    Check all of your .htaccess files. Several of mine were compromised. Code was added at the bottom and permissions were changed to 755.
    Check for files named: google_verify.php (This file was added to multiple folders in my situation)
    Check old files from hacks you have had, many of these were modified on my site when this happened
    If you have a custom 404 page, check it. Mine was hacked and without realizing it, that made it a disaster to try and narrow this problem down.

    I also have the IP address of the hacker, not sure if I can post it here or not.

    Comment

    • YJeXtreme
      New Member
      • Mar 2011
      • 19
      • 4.1.x

      #3
      I've got the IP from my admin/cp logs of VB, and since blocked it from all access to the site, I've changed all passwords.

      I've still only located the commons.php file that was added, and that the plugins.php was modded sometime in mid Oct, but that was reverted when I did the upgrade from 4.1.7 to 4.1.8

      I'm to the point of wiping all files, and restoring from a database from Sept, then upgrading back up to 4.1.8 immediately...

      Any other help is appreciated
      YJeXtreme
      Founder StarCityCrawlers
      [email protected]
      http://www.scc4x4.com

      Comment

      • YJeXtreme
        New Member
        • Mar 2011
        • 19
        • 4.1.x

        #4
        I've been fighting with this for 3 nights now, and still no luck in resolving... I've uploaded all the new files for 4.1.9 ran upgrades, and soon as I began the upgrade scripts i kept getting AVG flagging for virus/malware...

        Can I upload to a new directory, create a new database, and restore from my current database? I've never done this, nor had this much trouble in my 3yrs of running VB... Any and all help or suggestions is appreciated.
        YJeXtreme
        Founder StarCityCrawlers
        [email protected]
        http://www.scc4x4.com

        Comment

        • robinhood1995
          New Member
          • May 2002
          • 11

          #5
          I had to search in my templates for the chaneg that the hacker put in then I upgrade to 4.2
          Thanks,
          RH

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...