2

It has come to our attention when scanning some of our hosted server websites that they have been infected with Blackhole Exploit Kit (top dollar hacking program - http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/)

Can someone advise on possible scripts to implement on an Ubuntu 8.04 LTS 64-bit machine to scan and remove these infected files or at least just mention if they have had previous experience with this and what method was used to get rid of the virus?

deanvz
  • 55
  • 1
  • 7

1 Answers1

1

The way the question is being asked, and the question you are asking implies that you are seriously out of your depth here - I'd strongly recommend you get some help with this.

Firstly, if you've got BEK installed, your system is insecure. This does not spread in the same way as a Microsoft virus. Indeed it's not a virus at all. You have other security issues to address.

when scanning some of our hosted server websites

So how is it that you can detect BEK already but not remove it? How did you arrive at the conclusion that you have a BEK infection?

What you should do with a compromised machine is frequently asked and answered - wipe it and restore from the last clean backup. Then identify how the site was compromised in the first place.

symcbean
  • 19,931
  • 1
  • 29
  • 49
  • Or better yet, take it offline, install a new one in its place and keep the old one so you can do forensics on it. – Ladadadada Jun 12 '12 at 14:23
  • @symcbean : out of my depth yes indeed. Does not mean that I am incapable of getting a resolve for my problem. I found the BEK after visiting the sites in question and having AVG give me a pop-up of blocked BEK components. Okay, virus was the only adequate word I had to describe the problem. What programs can I install to make the server more secure? – deanvz Jun 12 '12 at 14:42
  • I would ask the reverse: What programws can I *remove* to the the server more secure. The first step in server hardening is not to install stuff which you do not use. Other steps are keeping the installed programs up to date, configuring them correctly and subscribing (and reading!) the relevant mailing lists. – Hennes Jun 12 '12 at 15:01
  • @Hennes Alright understandable, something to mention, this is an active server which complicates just format/install. The sites infected are drupal, wordpress, etc. So it seems due to over permissions. Anyway to get rid of the infected files?(not by hand) Thank you for the advice. I will start reading up more on this. – deanvz Jun 12 '12 at 15:24
  • @deanz: No, it's not due to permissions - that's just a single part of the puzzle. Setting permissions correctly would have made it harder for someone atacking your system tyo modify existing code - but it did not prevent them from getting access to deploy files in the first place. – symcbean Jun 13 '12 at 09:24