GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Webmaster Q & Fuckin' A (https://gfy.com/forumdisplay.php?f=27)
-   -   How to get rid of Blackhole Exploit Kit 2160 (https://gfy.com/showthread.php?t=1068749)

RachelBlackG 05-20-2012 12:34 PM
How to get rid of Blackhole Exploit Kit 2160
 
Im on shared hosting with several sites running on WP and they all got infected by this Blackhole Exploit Kit 2160 s**t. It adds long code into index.php and main.php. If I delete this bad line of code and save the file then it will be back in a minutes again. Dont you know how to remove it?

Babaganoosh 05-21-2012 05:20 AM
First, change your FTP password and don't access the site from FTP anymore. Use SSH if it's available.

Make sure permissions are nailed down.

Make sure you don't have a virus on your computer. Some viruses will take the password files from applications like filezilla and send them off to 3rd parties.

If it keeps happening, contact your host. Many times it's another customer on the same server who is infected and infects everyone else on the server who has their files world writable.

uniquemkt 05-21-2012 09:01 AM
Taking for granted you've already upgraded WP to the latest version, right? That should be your first step if not. Re-entry is happening either by the same exploit still existing, or an additional method having been created.

RachelBlackG 05-21-2012 12:12 PM
Thanks for answers. It infects not only WP sites, but all sites (it adds some code to the index.php and main.php files, I also found malicious code in 404.php's but im not sure wheter is belongs to Blackhole exploit), but it seems that this code is added by some other source (could be some script) because right after I delete this code and save file it is back after few minutes when I reopen it.

Anyway I did following. Re-installed all WP's, then upgraded all WP's and plugins. Reuploaded backups of other non-WP sites and changed FTP password. Since then everything seems fine. It took me whole day to solve it.

Btw. my host replied only with pre-made email what they send to people whos sites were hacked. Really helpful.

zerovic 05-22-2012 03:40 PM
also, make sure to check ALL .js files you are including, if there there are any URLs hidden in them...! I also had troubles before...

tmx007 05-25-2012 11:41 AM
Mind if I ask who your host is RachelBlackG?
Just out of curiosity, because I may want avoid them in the future.

I currently for with godaddy, which has it''s pros & cons...

RachelBlackG 05-27-2012 02:54 AM
My host is JustHost.com


All times are GMT -7. The time now is 12:50 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123