My Site Got Hacked – Blackhole Exploit Kit Removal

May 25, 2012 · 1 comment

in WordPress

Update: 10.16.2012 My previous update infers “they got my blog again.” That’s not actually correct. I simply failed to realize the severity of the infection/injection of the malicious code. It caused me to have to “take my site down” for over three weeks so as to not possibly infect any of my visitors. I won’t mention here all of the places that the malicious files existed because I’m sure that it varies, BUT I will tell you that the trojan horse code that allowed the re-infection to occur was located in my lib.php file. WOW! What a royal pain in the ass this has been. Going on three days now and all appears to be well. We’ll see! Stay safe by keeping your WP install and plug-ins updated. Cheers.

Update 09.24.2012: They got my blog again, but I believe this happened a couple of weeks ago, per my stats. This time only my main index.php file appeared to have been injected. Not sure how this happened, but will follow-up with my hosting company and update here as I learn more.

My Site Got hacked! Some jackass(es) out there, hiding in the cover of darkness, decided it would be cool to hack my WordPress blog / website via the Blackhole Exploit Kit. I initially found out something was wrong when my RSS feed stopped displaying in my My Yahoo account. Upon trying to access my site I received a Threat Detected Warning – Blackhole Exploit Kit – from AVG Antivirus and could not access my site.

What is the Blackhole Exploit Kit?

AVG Threat Labs According to AVG – The Blackhole Exploit Kit Detection is a Webthreat that is spreading. It is currently ranked 13 in the world for online threats. Blackhole Exploit Kit Detection has been detected by AVG on victims’ machines in 192 countries during the last month. There are currently 2227 websites in 54 countries that host Blackhole Exploit Kit Detection.

Here is a list of the files and directories that were compromised. Hopefully, this helps to save you some valuable time in removing this threat.

1) index.php

I had several WordPress themes on my server and the index.php file for each theme had the hack script. I don’t want to paste the exact script, but suffice it to say that the code is very easily noticeable on line 1.

2) images directory

The two files were found in my images directory:

  • chiftc.php.hack
  • lzakrf.php.hack

Note: I do not know if these names are randomly generated per install, but like the other files the hack code is obvious.

Key Takeaways

  1. Make sure you backup your WordPress files.
  2. Keep your WordPress version up to date.
  3. Keep your plug-ins up to date.
  4. Make sure your blog is hosted with a solid web hosting provider. More on this item below.

From the Key Takeaways above, I believe the most important one is to make sure that you are hosting with a reputable web hosting provider. I normally don’t talk about the web hosting providers that I use (and there have been SEVERAL), but I really want to give a huge shout out to Inmotion Hosting, specifically their Technical Support Team. I’ve been using them for about two years and until yesterday have never had to speak with anybody on the Technical Support Team.

Edward, Chase and Jacob… YOU GUYS ROCK! You quickly and efficiently identified the compromised files and directories on the server and carefully explained how to successfully remove the hack code. Again, thank you and well done! You’ve got a loyal customer here.

If these guys are representative of the whole, and I believe they are, Inmotion Hosting has an awesome Technical Support Team that I know I can continue to rely upon whenever I need help.

Has your blog ever been hacked? Share your story!

{ 1 comment… read it below or add one }

1 Pauly D October 25, 2012 at 7:23 am

@Eric my blog was hacked a few weeks ago by what I think to be the same Blackhole. Thank you for sharing your experience, as it helped me locate some of the malicious files on my server.


Leave a Comment