WordPress.org

Forums

Blackhole Toolkit Website 12 HELP (11 posts)

  1. Ava83
    Member
    Posted 3 years ago #

    Norton goes crazy when I try to view my site. It pops up with a box
    that says Blackhole Toolkit Website 12 was blocked.
    > and the blog won't even show up. I've tried different malware removal tools
    but nothing has worked. I contacted my host/server and it is not on their end..all files are clean and permissions are set properly. Can you help me with this? All my updates are current as well. I've got a Pro Photo theme.

    I've been dealing with this for over a year. It will go away and then come back and it's been back now for 5months.

  2. equa727
    Member
    Posted 3 years ago #

    This thing is migrating to all my wordpress sites Web Attack: Blackhole Toolkit Website 12

    I have yet to see any website give a user friendly solution to this problem.

  3. Esinem
    Member
    Posted 3 years ago #

    It seems to be putting obfuscated scripts into index.php etc. See:

    http://gladiator-antivirus.com/forum/index.php?showtopic=122472&st=0#entry282470

  4. equa727
    Member
    Posted 3 years ago #

    This only applies to wordpress hosted sites

    After studying all the code this morning. I came up with a easy fix that will make it easy on everyone how to get rid of this malicious code.

    1. download an updated version of wordpress upzip it too your desktop. (do not modify this in any way, this is your baseline original files)

    2. Login to your ftp directory of the infected site.

    3. make a folder on your desktop called old site, copy your old site to that directory(make sure your antivirus is up-to-date) it will pick up on the code when you download it) we will not be using these files except to grab the graphics only)

    4. copy your config.php file to your desktop only.

    5. take the new wordpress download and overwrite the entire directory of the infected site.

    6. when this download is complete copy your wp-config.php back to its original location.

    7. login to your wp-admin console, push all updates.

    8. use your old site copy for graphics only!

    This is a good way to re-install without losing content and not having to ditch your sql database.

    Tip( once completing this process you can copy your fixed directory and zip it up somewhere so if you get hit again you can just dump the directory over it self and will only be a one step process after that.)

    hope this helps some people this injection is a serious venerability for wordpress and needs to be patched by a future core update. hopefull wishing :/

    anyways good luck if you have any questions feel free to email me joshcharlton228@gmail.com

    localized computer info//
    If you have an infected pc you might want to update your antivirus to its latest def. Norton is working well as well as avg to catch the issue.

  5. brucetyson1
    Member
    Posted 3 years ago #

    Folks, we need to hear from someone at WordPress to explain how to track down and remove Blackhole Exploit kits. I understand overwriting existing installations may help at least temporarily, but I think we need a less-drastic solution to the problem.

    Quite frankly, the lack of authoritative solutions to this problem is very disturbing.

  6. esmi
    Forum Moderator
    Posted 3 years ago #

  7. Esinem
    Member
    Posted 3 years ago #

    I found this very helpful: http://www.computerpartsgreenvillesc.com/blackhole-exploit-kit-faking-google-analytics

    My infection was offering Smart Protection 2012. It either got in via HTML hidden in a comment or stolen FTP, AFAIK.

  8. Esinem
    Member
    Posted 3 years ago #

    Got attacked again and my site redirected to mail.ru. The problem appears to be an infection in a timthumb.php file that puts obfuscated code into index.php. This article is really helpful: http://codegarage.com/blog/2011/08/how-to-clean-up-the-timthumb-security-vulnerability/

    So, the first step is to take out the obfuscated code from any files like index.php (usually the last chunk of code in the file). Then look for thumb or timthumb.php files that changed around the time of the virus appearing or run this plugin: http://codegarage.com/blog/2011/09/wordpress-timthumb-vulnerability-scanner-plugin/

  9. dremeda
    Sucuri Wizard
    Posted 3 years ago #

    Esinem, is there outdated software on your server? Yes TimThumb, but WordPress, plugins, themes, anything else? Get it all updated.

  10. Esinem
    Member
    Posted 3 years ago #

    @dremeda Thanks for input, no, everything is updated. Check my last post as it was how to solve the problem and how it gets in ;-)

  11. dremeda
    Sucuri Wizard
    Posted 3 years ago #

    Esinem, very nice!

Topic Closed

This topic has been closed to new replies.

About this Topic