Malware Infection – Blocked by Day Limit

  • June 27, 2013

This week while working on a compromised site, I found an interesting variation of the Blackhole injection. We work with many sites injected with Blackhole, like this one:

Blackhole Injection

However, on this specific site, instead of the common injection we were expecting, there was an unocommon error:

"You are blocked by day limit".

It seems the attackers server reached its daily limited and was blocked. This is what was showing up on the compromised site:

# 81a338#
echo " <script type="text/javascript” language=”javascript” > You are blocked by day limit</script>”;

# /81a338#

Where it was injected

The code was injected in some of the usual places we find when dealing with Blackhole injection cleanup. In this case, they hit header.php files inside of WordPress themes:

./wp-content/themes/twentyeleven/header.php
./wp-content/themes/twentytwelve/header.php
./wp-content/themes/theme1/header.php
./wp-content/themes/theme2/header.php
./wp-content/themes/twentyten/header.php
..

We detect and cleanup Blackhole, including this variation. If you want to check your site, head over to SiteCheck and scan your site for free.

Estevao Avillez is Sucuri’s Senior Director of Security Research, who joined the company in 2013. Estevao’s main responsibilities include leading the Research Group, which includes the Malware, Vulnerability and WAF/Sucuri Infrastructure. His professional experience covers 15 years with planning, project and operations management. Estevao has also worked in various areas such as logistics and supply chain, media and communication, telecommunications, and trading relationships with customers. He’s worked as a consultant in financial, strategic and operational management. When Estevao isn’t keeping our customers safe, you might find him taking care of his kids and running. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like