WordPress Blackhole Exploit

by lisag
5 replies
One of my client's sites was infected by this exploit. In addition to searching in tomthumb and thumbs.php, look for an infected index.php in these folders:

/wp-content/themes
/wp-content/themes/(your theme name)
/wp-content/plugins
/wp-content

Remove everything that begins with "if (!isset($sRetry))" and ends with the final curly brace before the closing php statement. In all of the index files except for the one in themes, you should be left with:
Code:
<?php //silence is golden?>
in your theme header you should be left with only the usual theme stuff.
#blackhole #exploit #wordpress
  • Profile picture of the author nobita436
    What is the benefit by doing like that???
    I am not sure about this. What is purpose of this??
    Does it work in all the versions of wp?
    {{ DiscussionBoard.errors[6777857].message }}
  • Profile picture of the author lisag
    The purpose is to remove the wordpress blackhole exploit. If your site hasn't been infected, you can ignore this message.
    Signature

    -- Lisa G

    {{ DiscussionBoard.errors[6777903].message }}
  • Profile picture of the author lordspace
    Different hackers will use different variables so sRetry would be valid for some of the hacked sites.
    Signature

    Are you using WordPress? Have you tried qSandbox yet?

    {{ DiscussionBoard.errors[7138825].message }}
  • Profile picture of the author tajimd
    Crackers are smart these days... Adding code in index.php and footer.php was cool in old days

    Now days i see most hackers adding their code in functions.php.. Specially the viruses that redirect the user when they come from search engine results.

    These types of hack are hard to find if you directly type the URL of the site in your browser.

    Go to google search, search for your site and go from there. If your site stands still than you are clean but if your site redirects to some other spammy page then you have a problem.

    Also, test this by going to info INCOGNITO Mode of Chrome or Private Browsing of FF or by simply loggin out of your site.

    If you are logged in then this virus won't redirect just to hide itself from the owner of the site.
    {{ DiscussionBoard.errors[7139385].message }}
  • Profile picture of the author locke815
    What is really a blackhole exploit?
    {{ DiscussionBoard.errors[7140217].message }}

Trending Topics