Blackhole Toolkit Website 12 HELP
This thing is migrating to all my wordpress sites Web Attack: Blackhole Toolkit Website 12
I have yet to see any website give a user friendly solution to this problem.
It seems to be putting obfuscated scripts into index.php etc. See:
This only applies to wordpress hosted sites
After studying all the code this morning. I came up with a easy fix that will make it easy on everyone how to get rid of this malicious code.
1. download an updated version of wordpress upzip it too your desktop. (do not modify this in any way, this is your baseline original files)
2. Login to your ftp directory of the infected site.
3. make a folder on your desktop called old site, copy your old site to that directory(make sure your antivirus is up-to-date) it will pick up on the code when you download it) we will not be using these files except to grab the graphics only)
4. copy your config.php file to your desktop only.
5. take the new wordpress download and overwrite the entire directory of the infected site.
6. when this download is complete copy your wp-config.php back to its original location.
7. login to your wp-admin console, push all updates.
8. use your old site copy for graphics only!
This is a good way to re-install without losing content and not having to ditch your sql database.
Tip( once completing this process you can copy your fixed directory and zip it up somewhere so if you get hit again you can just dump the directory over it self and will only be a one step process after that.)
hope this helps some people this injection is a serious venerability for wordpress and needs to be patched by a future core update. hopefull wishing :/
anyways good luck if you have any questions feel free to email me firstname.lastname@example.org
localized computer info//
If you have an infected pc you might want to update your antivirus to its latest def. Norton is working well as well as avg to catch the issue.
Folks, we need to hear from someone at WordPress to explain how to track down and remove Blackhole Exploit kits. I understand overwriting existing installations may help at least temporarily, but I think we need a less-drastic solution to the problem.
Quite frankly, the lack of authoritative solutions to this problem is very disturbing.
I found this very helpful: http://www.computerpartsgreenvillesc.com/blackhole-exploit-kit-faking-google-analytics
My infection was offering Smart Protection 2012. It either got in via HTML hidden in a comment or stolen FTP, AFAIK.
Got attacked again and my site redirected to mail.ru. The problem appears to be an infection in a timthumb.php file that puts obfuscated code into index.php. This article is really helpful: http://codegarage.com/blog/2011/08/how-to-clean-up-the-timthumb-security-vulnerability/
So, the first step is to take out the obfuscated code from any files like index.php (usually the last chunk of code in the file). Then look for thumb or timthumb.php files that changed around the time of the virus appearing or run this plugin: http://codegarage.com/blog/2011/09/wordpress-timthumb-vulnerability-scanner-plugin/
Esinem, is there outdated software on your server? Yes TimThumb, but WordPress, plugins, themes, anything else? Get it all updated.
@dremeda Thanks for input, no, everything is updated. Check my last post as it was how to solve the problem and how it gets in 😉
- The topic ‘Blackhole Toolkit Website 12 HELP’ is closed to new replies.