Malware Exploit BlackHole infected Minified theme files
Permalink
Hi,
I have a site built using the Minified theme. It's been hacked somehow. AVG tells me that the infection is in multiple places all within the the minifiedtheme/ directory.
I experimented by uninstalling the theme and deleting it. and all AVG warning messages went away on loading the home page. I reinstalled the theme through the add functionality page and all the warning messages came back.
Any idea what I should do next?
site iswww.www.westernartassociation.org...
# concrete5 Version
5.4.2.2
# concrete5 Packages
Facebook Like Button (1.1), Galleria image gallery (2.0), Minified Theme (1.0), ProPhoto Browser (2.11), Simplicity Theme (1.0), Sortable Fancybox Gallery (1.14), tnSpacer (1.2).
# concrete5 Overrides
css/style.css, css/tabs.css
# Server Software
Microsoft-IIS/7.0
# Server API
cgi-fcgi
# PHP Version
5.2.6
# PHP Extensions
bcmath, calendar, cgi-fcgi, com_dotnet, ctype, curl, date, dom, filter, ftp, gd, gettext, hash, iconv, imap, json, libxml, mbstring, mssql, mysql, odbc, pcre, PDO, pdo_mysql, pdo_sqlite, Reflection, session, SimpleXML, sockets, SPL, SQLite, standard, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, zip, zlib.
# PHP Settings
log_errors_max_len - 1024
max_execution_time - 5
max_input_nesting_level - 64
max_input_time - 60
memory_limit - 128M
post_max_size - 8M
safe_mode - Off
safe_mode_exec_dir - <i>no value</i>
safe_mode_gid - Off
safe_mode_include_dir - <i>no value</i>
sql.safe_mode - Off
upload_max_filesize - 2M
mssql.max_links - Unlimited
mssql.max_persistent - Unlimited
mssql.max_procs - Unlimited
mssql.textlimit - Server default
mysql.max_links - Unlimited
mysql.max_persistent - Unlimited
odbc.max_links - Unlimited
odbc.max_persistent - Unlimited
pcre.backtrack_limit - 100000
pcre.recursion_limit - 100000
session.cache_limiter - nocache
session.gc_maxlifetime - 7200
safe_mode_allowed_env_vars - PHP_
safe_mode_protected_env_vars - LD_LIBRARY_PATH
I have a site built using the Minified theme. It's been hacked somehow. AVG tells me that the infection is in multiple places all within the the minifiedtheme/ directory.
I experimented by uninstalling the theme and deleting it. and all AVG warning messages went away on loading the home page. I reinstalled the theme through the add functionality page and all the warning messages came back.
Any idea what I should do next?
site iswww.www.westernartassociation.org...
# concrete5 Version
5.4.2.2
# concrete5 Packages
Facebook Like Button (1.1), Galleria image gallery (2.0), Minified Theme (1.0), ProPhoto Browser (2.11), Simplicity Theme (1.0), Sortable Fancybox Gallery (1.14), tnSpacer (1.2).
# concrete5 Overrides
css/style.css, css/tabs.css
# Server Software
Microsoft-IIS/7.0
# Server API
cgi-fcgi
# PHP Version
5.2.6
# PHP Extensions
bcmath, calendar, cgi-fcgi, com_dotnet, ctype, curl, date, dom, filter, ftp, gd, gettext, hash, iconv, imap, json, libxml, mbstring, mssql, mysql, odbc, pcre, PDO, pdo_mysql, pdo_sqlite, Reflection, session, SimpleXML, sockets, SPL, SQLite, standard, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, zip, zlib.
# PHP Settings
log_errors_max_len - 1024
max_execution_time - 5
max_input_nesting_level - 64
max_input_time - 60
memory_limit - 128M
post_max_size - 8M
safe_mode - Off
safe_mode_exec_dir - <i>no value</i>
safe_mode_gid - Off
safe_mode_include_dir - <i>no value</i>
sql.safe_mode - Off
upload_max_filesize - 2M
mssql.max_links - Unlimited
mssql.max_persistent - Unlimited
mssql.max_procs - Unlimited
mssql.textlimit - Server default
mysql.max_links - Unlimited
mysql.max_persistent - Unlimited
odbc.max_links - Unlimited
odbc.max_persistent - Unlimited
pcre.backtrack_limit - 100000
pcre.recursion_limit - 100000
session.cache_limiter - nocache
session.gc_maxlifetime - 7200
safe_mode_allowed_env_vars - PHP_
safe_mode_protected_env_vars - LD_LIBRARY_PATH
You should contact the theme provider through the support pages and ask their help.
Either (1) the theme contains the malware (less likely), or (2) the malware has been sneaked into your server and the theme script files since you installed it (more likely).
In case (1), the theme provider really need to know this.
In case (2), its nothing to do with the theme, your site/server/host/you has a security problem and the theme is merely a victim of it.
Swapping to a default theme, uninstalling the theme (with remove all files,) reinstalling the theme and swapping back to it may provide some respite, but if the case is (2), you would only be curing the immediate symptoms, not the actual problem.
As with any security issue, the most important thing is to find the security breach and close it. Only once it is closed does it become worthwhile repairing the damage, such as the infected theme .js files.
In the mean time, make and download backups of your database and files folder. In the worst case, you may have to scrub the site and restore it from these backups.
PS. Taking your site offline (Maintenace Mode) may be a responsible thing to do until you have more info.