This few days I saw my website requesting me to run Java or download a PDF file.

Let's cut short the story...
After some investigation I notice that the site is infected with "RedKit exploit kit / BlackHole Exploit Kit"

So what I did is get all the domain that hosted under "sphinx" / 110.4.40.109 server and did some scan and even others site that hosted under exabytes was infected. (see below for some list of infected site)


So is the hackers upload the exploit to my files or ?


It will inject something like this :



and it will appear randomly inside any .js files and even .php and even .html files (I can't even find it in the source code ) also I checked my .js file is CHMOD to 644 not 777. I assume it inject the malware code on the fly and then sent to user.

Did a scan on http://sitecheck.sucuri.net/scanner/ too, a warning will come out.

and this BlackHole Exploit is clever it will not show to some user, but you can use some of the site like http://www.webpagetest.org or http://jsunpack.jeek.org/joomla/ to check using different location and browser.


The Source Code Of The Target (malware) Site
http://pastebin.com/sCBNJih5 (Found on my site)
http://pastebin.com/nPU1WCDV (Unknow User Posted This)

Read:
http://www.avgthreatlabs.com/webthreats/in...le-exploit-kit/
http://www.symantec.com/connect/blogs/blackhole-theory
http://www.symantec.com/connect/blogs/blac...-random-domains
http://stopmalvertising.com/malware-report...ploit-kits.html
Google "Blackhole exploit kit"


NOTE: I DID NOT SAY Exabytes got hacked or what. I just cant figure out why some others site that hosted under the same IP got infected as well :

What they tell me is that :



Here's the list of website under the same IP : (Please look at the IP or .tk domain for the malware)
jefferson.com.my
http://jsunpack.jeek.org/?report=edffe0129...5a83da4680332b1
thundermatch.com.my
http://www.webpagetest.org/result/120719_RX_D4H/1/details/
chinwell.com.my
http://www.webpagetest.org/result/120719_T2_3JP/1/details/
mom2ashley.com
http://www.webpagetest.org/result/120718_0G_JAH/1/details/
freshm2m.com
http://www.webpagetest.org/result/120718_Q6_JDQ/1/details/
smkttdi.edu.my
http://www.webpagetest.org/result/120718_DE_K17/1/details/
islamic-world.net
http://jsunpack.jeek.org/joomla/?report=fb...23bdc939ebe080d
bent.com.my
http://www.webpagetest.org/result/120719_4K_D3G/1/details/
aiodot.com
http://www.webpagetest.org/result/120719_NM_D37/1/details/
celles.com
http://www.webpagetest.org/result/120719_5F_D6W/1/details/
malaysiasme.com.my
http://jsunpack.jeek.org/?report=475d5e036...f2e07c6e04462fc
http://www.webpagetest.org/result/120719_JJ_DZG/1/details/

http://www.webpagetest.org/result/120718_TJ_HRQ/1/details/
http://jsunpack.jeek.org/joomla/?report=78...78ae87ec5017dd9
http://wepawet.iseclab.org/view.php?hash=a...2701239&type=js

and there's more!



Exabytes is really slow in replying my tickets


This post has been edited by xDragonZ: Jul 19 2012, 08:49 PM

Hmmm... Thank you for sharing this. I hope it's not widespread. I have sites on their server.

Let us know what they say when you got the reply.

This post has been edited by iWill: Jul 19 2012, 11:23 AM

owh my. very shocking news..

i though only budget web hosting always get hacked. = (

thanks for sharing the info.

Update:

I asked my host to remove all my public_html files and I upload a simple index.php and the webpage is still infected. (and I checked the source code on the server is 100% untouched and its clean) but it is reported it contain another iframe. (I also try load the page on another computer, it contain hidden iframe that you need to use the tools like "Inspect Element" in Google Chrome to find that.)

http://www.webpagetest.org/result/120719_YY_CEZ/1/details/

This post has been edited by xDragonZ: Jul 19 2012, 08:50 PM

hacking can be go through joomla/wordpress exploit or weak FTP/Cpanel password.