Stec Records Forum

Tools to make music

News: Note that we check all new user requests for spam violations. If you believe you have been rejected unfairly please contact us and we will attempt to resolve it with you. - Stecrew

Exploit Blackhole Exploit Kit virus attacks (Read 2387 times)

  • Administrator
  • Hero Member
  • bob
  • Posts: 773
  • Karma: +0/-0
  • Time reveals truth.
    • Bob Sellon's Home Page
Stec Records was recently attacked using the "exploit blackhole exploit kit" which made its way onto our files on the host for our site; Godaddy. We're still investigating the problem but AVG started popping up messages of "exploit blackhole exploit kit" "type( 2724)" threats when a page on was opened.  The "Object name" reported by AVG included different web sites associated with the virus but surprisingly didn't include the site url that contained the threat, our site. With countless tabs open and the intermittent behavior of the virus it took a while for us to realize that it was our own site that had the virus. 

It turns out that all of the php and html files for our site on the server had been modified . Code had been added to the beginning of php files and javascript on the html files. The virus shows itself intermittently on the infected pages so they aren't always picked up by the likes of AVG but the little javascript terd stands out like a sore thumb at the bottom of the page source. They appear to also drop a few files in the site's root directory but the quick fix is pretty easy: re-post the files and delete files that are not yours (I cached a copy of the mystery files into a temp folder on my computer for evidence but also in case of one of them was actually needed by the site and needed to be cleaned and restored). The terd can be edited out of the files but it's best just overwrite them from your local mirror if you can.

This gets the virus off your/our site but you/we still need to get to the bottom of how they got in and to protect against future attacks. Local copies of files appear to be unaffected by the virus and the mystery files were not in our local mirror so either someone is getting in through godaddy or via FTP from either our development computers or another computer with ill-gotten log in information.  First order of business was to run a virus scan on our development computers then to change the FTP and other log in passwords on the server. No virus' were found on our computers but we're caching a sampling of the modified files for analysis and for evidence in the eventuality that these people get to "pay the bill" so to speak (both figuratively and literally) but the time stamps on the files modified by the virus were spread out over more than an hour so updating the files on the server gets rid of the problem at least in the short term.

I know that posting this information is tipping my hand to these virus-ers but I'm sure there are others out there getting dicked around by these misguided soles.

Please remember Stec Records in your dreams if this post helps you in any way.