Recently, while viewing a WordPress site, I discovered that the website had been hacked. The website was a WordPress blog, running on a Linux server. It was discovered rather quickly with some Anti-Virus software on some Windows 7 machines that were being used to view and log into the website for WordPress dashboard administration. The malware warning that popped up was the dreaded “Blackhole Exploit Kit”.
The Blackhole Exploit Kit was developed by some of the most skilled computer criminals in the world, most likely in Russia or Eastern Europe. I will not pretend to know the entire inner working of how the malicious software package works, but I will share what I found out from my personal experience.
It looked something like this:
#d93065# echo(gzinflate(base64_decode(“3VXBbptAEP2V……….…1G5y+828z/8A”))); #/d93065#” “#d93065#.
This is only a snippet of the code, but remove everything between the : #d93065# tags. Remember that this exploit kit is custom made for each evil computer criminal who purchases it from the “hacker mafia” which created it.
We helped this website by removing the code from their header.php file which took the threat out of the WordPress site, and their users who visit the site are now safe, but it does beg the question as to how the hackers got into the header.php file in the first place. Access to the WordPress accounts could do it, but also SSH/ftp access to the Linux server that it is hosted on could also be the culprit. In either case, if this happens to you, passwords should be immediately changed for all of these accounts. Be sure to be on the lookout for this nasty evil piece of code in your HTML, PHP or ASP. It not only is a headache for you because it makes your website appear to be malicious, but it can infect any users who visit your WordPress site!