The Hacker News Logo
Subscribe to Newsletter

Blackhole Exploit Kit attack on WampServer & Wordpress sites

Blackhole Exploit Kit attack on WampServer & Wordpress sites

Kimberly from Stopmalvertising found Blackhole Exploit Kit on Website of most popular Webserver software site WAMPSERVER. Almost at the bottom of the webpage they notice a Javascript requesting a file from jquery.googlecode.com. The URL is followed by a long string of parameters. The file  returns a 404, it’s just there to fool people.

Once the script decoded we obtain an iframe leading to vc-business.com/in.php .According to Analyse of Kimberly , If a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 91.194.214.66/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 91.194.214.66 has been caught in distributing the ZeroAccess rootkit.

Second Recent Attack by Blackhole Exploit discovered in  thousands of WordPress websites that use a popular non-updated TimThumb image tool. Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the site. But this is not the only way for example they use stolen passwords to direct FTP changes.In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

The attack used the BlackHole exploit kit, which redirected the website's visitors to an external malware-hosting site. Researchers detected an additional 3,500 unique infected WordPress sites, which redirected visitors to malicious sites between Aug. 28 to 31. During September , the company blocked redirects from 2,515 WordPress sites, Sirmer said.

In bottom part of code, there is a request to http://91.169.216.20/url.php where only one line of code is stored: assa =’Domain with Black Hole exploit kit’. A fix is available for the TimThumb tool.
SHARE
Comments
Latest Stories
Top Deals

Always First — Subscribe

Over 500,000 Information Security professional read and trust our news platform. Join them and get all latest hacking news, free eBooks delivered to your inbox - free!