This week while working on a compromised site, I found an interesting variation of the Blackhole injection. We work with many sites injected with Blackhole, like this one:
However, on this specific site, instead of the common injection we were expecting, there was an uncommon error:
It seems the attackers server reached its daily limited and was blocked. This is what was showing up on the compromised site:
Where it was injected
The code was injected in some of the usual places we find when dealing with Blackhole injection cleanup. In this case, they hit header.php files inside of WordPress themes:
Very simple, but it can break your website.
This article was also posted on Sucuri Blog.