This week while working on a compromised site, I found an interesting variation of the Blackhole injection. We work with many sites injected with Blackhole, like this one:
However, on this specific site, instead of the common injection we were expecting, there was an unocommon error:
"You are blocked by day limit".
It seems the attackers server reached its daily limited and was blocked. This is what was showing up on the compromised site:
# 81a338#
echo " <script type="text/javascript” language=”javascript” > You are blocked by day limit</script>”;# /81a338#
Where it was injected
The code was injected in some of the usual places we find when dealing with Blackhole injection cleanup. In this case, they hit header.php files inside of WordPress themes:
./wp-content/themes/twentyeleven/header.php
./wp-content/themes/twentytwelve/header.php
./wp-content/themes/theme1/header.php
./wp-content/themes/theme2/header.php
./wp-content/themes/twentyten/header.php
..
We detect and cleanup Blackhole, including this variation. If you want to check your site, head over to SiteCheck and scan your site for free.
