How To Remove the BlackHole Exploit ?

Throughout this article, we will cover one of the nastiest virus you can unfortunately meet in your web hosting ventures.

The BlackHole is a virus which is well engineered. It exists different versions and each one has their own specificities.

As a matter of fact, the source from where you may be infected could be drastically different. Either you have your computer is infected or you are using an infected script.

The infected script can be found on the web as freebies which are on purpose available to any body to download.

Basically the virus is serving different purposes. It can redirect X % of your traffic overall , or only from Google which could be hard to detect. On another hand, it is serving a viral purpose in downloading a .jar file which will infect your computer and spread the virus accross your website.

If your antivirus isn't efficient enough, you may be already infected. According to our tests to remove the virus to infected customers, the best Antivirus for Web remains AVG. (Official Website). AVG is behaving properly in blocking the virus to spread to your computer when you are browsing an infected website.

 

Also, you have to know that the virus is auto replicating to all your files, if you didn't remove the main infected file. And each time you remove it, it will be back. Some very nasty version may also corrupt Cpanel System Files such as the core of PHPmyAdmin as instance.

When your computer is infected, it is generally looking for a XML file from Filezilla where all your logins / password / IP are in plain text. In that case, if you have the ROOT SSH saved within Filezilla this when you would more likely put your server system files at risk.

The blackhole is autoreplicating generally in all your Index.php files within a web hosting account / server which can be accessed with the same logins.

Now, you have an approximate overview of the virus and its purposes here is the method to remove it efficiently :

1) You need to identify the source with the following question : Have I used at downloaded template for my website ? Is this template using timthumb.php function ?

If you are using wordpress, you may want to look in the following folder : wp-content/themes/yourcustomtheme/timthumb.php

In the case where you find the file, make sure to update the function in replacing the code with the following timthumb's improvement : http://timthumb.googlecode.com/svn/trunk/timthumb.php

It may also come from your computer or one computer which is administrating. In that case you need to pass AVG antivirus which is one the only antivirus which can detect the black hole on your computer. The free edition will do perfectly.

 

2) Once you have clean the source of the virus, you need to clean your website. In order to do, you would have to download your whole website folder to your computer. Everything inside the public_html folder.

Then you can use dreamweaver or notepad ++ to look for the following pattern "php(base_eval64". In order to do so you push ctrl + F and select find and replace tab. Then, you need to manually remove the whole code which is encoded in ioncube which is generally located in every index.php files. You save the clean files and you upload / replace to your FTP folder. Once it has been done you should monitor for a few days to make sure it doesn't come back.

 

If you have followed these steps properly, you should have removed your virus properly. You can also contact us anytime to have us doing it for you.

  • 861 Users Found This Useful
Was this answer helpful?