WordPress.org

Ready to get started?Download WordPress

Forums

Website hacked? Java:Blackcole-A[Trj] (6 posts)

  1. akedv
    Member
    Posted 2 years ago #

    hi there,

    avast blocked some javascripts on my website with the alert: Java:Blackcole-A[Trj], what kind of a hack is this?

    js-files in the following directories were infected:

    wp-includes/js/
    wp-content/plugins/2-click-socialmedia-buttons/js/
    wp-content/plugins/lightbox-plus/js
    wp-content/themes/zeecompany/includes/js/

    i deleted everything (except wp-config.php) and copied updated plugins/themes/wordpress, also deactivated the 2 plugins just to be shure, but i still don't know the leak or if it is fixed.

    am i the only one with this problem, even google couldn't help me here...

    greets

  2. esmi
    Forum Moderator
    Posted 2 years ago #

  3. lab75
    Member
    Posted 2 years ago #

    Hi Ak71

    I have had the exact same problem today on 2 separate sites on separate servers.

    Did you follow the instuctions in the links above and did it solve the issue?

    Thanks

  4. akedv
    Member
    Posted 2 years ago #

    i deleted all the wp-files, just kept some clean directories in wp-content (images & stuff) and wp-config.php & .htaccess, copied all the files from a clean & updated (local) mirror of the site, deactivated the 2 previously infected plugins, changed some stuff in .htaccess, changed some of the keys in wp-config.php.

    did occure twice since yesterday, the last time about 5 mins after activating the 2click-social media plugin, but not anymore after deactivating these 2 "suspicious" plugins, all clean till now *fingerscrossed*

    which theme are you using, which plugins installed/infected?

  5. fbraswell
    Member
    Posted 2 years ago #

    We started having problems a few days ago, but I couldn't pin anything down other than a redirect virus of some kind.

    This thread suggested http://sitecheck.sucuri.net/scanner/ which quickly identified the code infecting about 6 JavaScript files. It was the Java:Blackcole-A[Trj].

    I opened each file and deleted the malicious code, which was tacked onto the end of each file. Once all the files had been updated, I cleared my browser cache (Mac Safari) and it looks like the site is back up again. Another scan by Sucuri confirmed the threat had been removed.

    Additionally, all administrators on our site have changed passwords.

  6. lab75
    Member
    Posted 2 years ago #

    Thanks fbraswell, your advice worked perfectly.

    I just used http://sitecheck.sucuri.net/scanner/ then uploaded fresh files of the JS files that were affected. Problem solved. Changed all passwords also.

Topic Closed

This topic has been closed to new replies.

About this Topic