• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 740
  • Last Modified:

Our site is infected with Exploit Blackhole - What should we do?

See screenshot. This is coming from OUR website which is 100% legitimate and wordpress-based. What would be the first step to fixing this?

Screenshot of Exploit Blackhole
3 Solutions
Jason C. LevineNo oneCommented:
Hi fresh juice,

Get your hosting provider on the phone immediately.  They should have the tools and expertise to deal with this.  Unless you know server security backwards and forwards, you are out of your depth.

Generally this happens because the server has been compromised and not because of WordPress, assuming you are running a relatively recent version.
Your site IS infected!

It looks like the infection is at the Web Server level not in your own scripts.

Who is your ISP?  Where is your site hosted?  Do you host it yourself?  The server is infected.

Are there other sites on the same server?  Can you check if they are infected, too?
The issue is with one of your advertisers who has some of their stuff on IP
If you can determine which advertiser of yours has this IP, you should notify them and until they fix their site suspend them from the ad rotation.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

One other thing, currently your site is down with a PHP error.
The notice can be seen in a cached copy of the site.
freshjuiceAuthor Commented:

All wordpress sites appear to be broken.

I'm on hold with 1and1 abuse support right now. :-(
freshjuiceAuthor Commented:
@arnold - we have no advertisers. Everything we promote is self-contained. We do have an ad-rotation plugin that we run, however...
freshjuiceAuthor Commented:
Okay, so 1and1 told us that one of our web developers had a virus on the machine that allowed someone from the Czech republic to steal our webmasters pass and login through the FTP front door to upload Perl scripts.
The ad-rotation is it one of your own or do you generate references to other people?
Currently, your site has a PHP error.
index.php line 1
referencing wp-includes/pluggable.php line 890

if you have access to the server, while it is not necessarily dis-positive, you can search your files for modification after a known last modify date.

I.e. you have not made changes to the site since December 2010. But now you have files within the web root that were modified 10 days ago.
The other issue as others and I pointed out to have the server scanned 1and1 should be contacted to see whether the issue is within one of the systems that provides services for your domain.
freshjuiceAuthor Commented:
Hi Arnold. Don't know if you missed my reply, it was a hacked password used for a front-door attack to our FTP.

I'll divvy some points for everyone's help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now