BlackHole Toolkit v2 JAVA Payload Stage Code Execution - What does this activity mean?! I cannot get hold of the owner of the server to check

Question

An analyst came across this alert - BlackHole Toolkit v2 JAVA Payload Stage Code Execution from the Checkpoint IPS coming from a server, the event is recorded as a blocked outgoing connection attempt - and to everyone's surprise has been triggering twice on average every hour for months(I know).

It was logged once a long time ago when first seen but the server owner said they didn't find anything on it.

The odd part is that the connection is only and always an outgoing attempt to one IP 89.187.145.139, which leads to a website called udger.com.

This site means nothing to anyone and has no malicious activity attributed to it.

Can anyone please give us insight as to what it going on and how to address it?

That IP is shared by at least these other domains: `bengal-cat.cz`, `briardi.cz`, `coon.cz`, `cotons.cz`, `fluffyhearts.cz`, `fuzzyhearts.cz`, `prijimacitechnik.cz`, `udger.com`. The Blackhole server may have no domain at all. Investigate the callback more carefully; most importantly, have you started quarantining the threat? — Jedi, Jul 29 '16 at 14:44
It only means the IPS found something that match its pattern. It may not related to the server, but the IP used by the toolkit long time ago. This mean you need to throw in a few antivirus on the compromised server and hope they will find out file that match the toolkit pattern. — mootmoot, Jul 29 '16 at 15:26
If the server own is act as an NAT/proxy , then it will be more effort to dig out the culprits from the the activities log. — mootmoot, Jul 29 '16 at 16:02

score 1 · Answer 1 · answered Jul 29 '16 at 15:30

It means that someone using the Blackhole exploit-kit - a kind of collection of tools which allows you to exploit vulnerabilities easy, it's an underground-tool and distributed mostly by crime-related websites - tries to exploit a vulnerability on your server.

But your IPS is detecting & preventing that.

What I'd do in your situation is first making sure all software (especially the one of Java) are up-to-date, and try to download the exploit-kit from this reputable website (At own risk!) and try to attack your own website using that kit. Back-up your website set-it up on another machine (localhost) with IPS out, and try it.

Like that you might discover what's wrong.

From the question, it seems the server owner didn't get a clear clue. — mootmoot, Jul 29 '16 at 16:00

score 0 · Answer 2 · answered Sep 17 '16 at 19:34

Well, first the analyst would pull up the packet sessions to determine if it is a false positive or not. Does it look like callback traffic? Does it send additional information? The fact that the computer in question tries to communicate at precise times to a command and control center would leave me to believe it may be infected but the firewall is blocking the outgoing connection. Of course it could be any program so I believe the easiest and quickest solution would be to re-image the machine.

score -1 · Answer 3 · answered Dec 02 '16 at 08:24

-1

I suppose it comes to downloading/updating data file for the analysis. Request is to data.udger.com . See ... https://udger.com/download/data

answered Dec 02 '16 at 08:24

Jaroj

1

BlackHole Toolkit v2 JAVA Payload Stage Code Execution - What does this activity mean?! I cannot get hold of the owner of the server to check

3 Answers3