threat detected, black hole exploit.


Tonysmallz

Recommended Posts

I think virus scanners are a tid bit to cautious. Found this posted by a web developer:I've just been checking a number of websites which I have created for my clients including www. brownemasonpr. co. uk, www .purpleserve. co. uk, www. purpleinsure. co. uk and www. i4-beauty. co. uk.....for all of them I get this "Blackhole Exploit" warning. Having done some digging around and comparing each of the websites I created it would seem the warning is being displayed for anything which has a reference to a .js fileForum runner has a reference to a .js file...

Link to comment
Share on other sites

Malicious code?Think it may still be malicious code as this article suggests:http://stopmalvertising.com/malware-reports/runforestrun-pseudo-random-domains-and-random-exploit-kits.htmlAt the end of the article it is recommending: Plesk PanelIf you are affected by this hack, immediately change passwords of ALL Plesk accounts. This means: Plesk-admin-user, all reseller-accounts, all domain-administrators, FTP users of subdomains and web users of domains. If not done yet, update your Plesk installation.[FIX] Remote vulnerability in Plesk Panel Server Vulnerability Check Update to Parallels Plesk Panel 11

Link to comment
Share on other sites

Think it may still be malicious code as this article suggests:http://stopmalvertising.com/malware-reports/runforestrun-pseudo-random-domains-and-random-exploit-kits.htmlAt the end of the article it is recommending:Plesk PanelIf you are affected by this hack' date=' immediately change passwords of ALL Plesk accounts. This means: Plesk-admin-user, all reseller-accounts, all domain-administrators, FTP users of subdomains and web users of domains. If not done yet, update your Plesk installation.[FIX'] Remote vulnerability in Plesk PanelServer Vulnerability CheckUpdate to Parallels Plesk Panel 11

Bingo! Checked the .js script. It has the malcious code at the bottom. Caipi time!Sent from my iPad using Forum Runner
Link to comment
Share on other sites

http://stopmalvertising.com/malware-reports/runforestrun-pseudo-random-domains-and-random-exploit-kits.htmlAt the end of the article it is recommending: Plesk PanelIf you are affected by this hack' date=' immediately change passwords of ALL Plesk accounts. This means: Plesk-admin-user, all reseller-accounts, all domain-administrators, FTP users of subdomains and web users of domains. If not done yet, update your Plesk installation.[FIX'] Remote vulnerability in Plesk Panel Server Vulnerability Check Update to Parallels Plesk Panel 11

Mine is still showing this same intrusion alert from the Blackhole toolkit---just BUMPING this to make sure the Mods see it
Link to comment
Share on other sites

  • Administrators

Hm... very strange. Did not get an alert neither at work nor at home. But I'll check it this evening as I return home from work.

Link to comment
Share on other sites

Hm... very strange. Did not get an alert neither at work nor at home. But I'll check it this evening as I return home from work.

Hopefully the article I linked to was useful. This threat seems to be infecting a number of websites as of late.
Link to comment
Share on other sites

Earlier on I got diverted to here trying to access the site:Web Server's Default PageThis page is generated by Parallels Plesk Panel, the leading hosting automation software. You see this page because there is no Web site at this address.You can do the following:Create domains and set up Web hosting using Parallels Plesk Panel.For more information please contact Administrator.Then I got sent here:Warning - visiting this web site may harm your computer!Suggestions:Return to the previous page and pick another result.Try another search to find what you're looking for.Or you can continue to http://www.miamiviceonline.com/ at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.For more information about how to protect yourself from harmful software online, you can visit StopBadware.org.If you are the owner of this web site, you can request a review of your site using Google's Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.Advisory provided by GoogleAnd the I got:Advisory provided by Safe BrowsingDiagnostic page for miamiviceonline.comWhat is the current listing status for miamiviceonline.com?Site is listed as suspicious - visiting this web site may harm your computer.Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.What happened when Google visited this site?Of the 118 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-07-08, and the last time suspicious content was found on this site was on 2012-07-08.Malicious software is hosted on 2 domain(s), including lohnrnnpvvtxedfl.ru/, ntvrnrdpyoadopbo.ru/.This site was hosted on 3 network(s) including AS8972 (PLUSSERVER), AS15169 (Google Internet Backbone), AS4436 (AS).Has this site acted as an intermediary resulting in further distribution of malware?Over the past 90 days, miamiviceonline.com did not appear to function as an intermediary for the infection of any sites.Has this site hosted malware?No, this site has not hosted malicious software over the past 90 days.How did this happen?In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.Next steps:Return to the previous page.If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.Updated 3 hours ago

Link to comment
Share on other sites

  • Administrators

5 1/2 hours of hard work yesterday evening... :evil::evil:Hope, I could fix the problem.

Link to comment
Share on other sites

5 1/2 hours of hard work yesterday evening... :evil::evil:Hope' date=' I could fix the problem.[/quote']Wow, 5.5 hours is a lot of work. What did you have to do to solve the problem, Caipi? No alerts as of today thus far.
Link to comment
Share on other sites

  • Administrators
Wow' date=' 5.5 hours is a lot of work. What did you have to do to solve the problem, Caipi? No alerts as of today thus far.[/quote']Change all passwords for our server, FTP..., upload all vBulletin files again, check files for malware, delete old files, update server software...
Link to comment
Share on other sites

Change all passwords for our server' date=' FTP..., upload all vBulletin files again, check files for malware, delete old files, update server software...[/quote']I recall the article I read did seem to suggest that the server passwords likely were compromised as it suggested all of them be reset. The scammers are getting more inventive these days. Thanks for all your efforts. :thumbsup:
Link to comment
Share on other sites

thanks for sorting out the problem, great people looking after this site, sounded like a lot of work and i apriciate it :thumbsup:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.