Malware Infection – Blocked by Day Limit

This week while working on a compromised site, I found an interesting variation of the Blackhole injection. We work with many sites injected with Blackhole, like this one:

Blackhole Injection

However, on this specific site, instead of the common injection we were expecting, there was an unocommon error:

"You are blocked by day limit". 

It seems the attackers server reached its daily limited and was blocked. This is what was showing up on the compromised site:

# 81a338#
echo " <script type=\"text/javascript\” language=\”javascript\” > You are blocked by day limit</script>”;

# /81a338#

Where it was injected

The code was injected in some of the usual places we find when dealing with Blackhole injection cleanup. In this case, they hit header.php files inside of WordPress themes:

./wp-content/themes/twentyeleven/header.php
./wp-content/themes/twentytwelve/header.php
./wp-content/themes/theme1/header.php
./wp-content/themes/theme2/header.php
./wp-content/themes/twentyten/header.php
..

We detect and cleanup Blackhole, including this variation. If you want to check your site, head over to SiteCheck and scan your site for free.

Read more: Malware Infection – Blocked by Day Limit

Story added 27. June 2013, content source with full text you can find at link above.