Malware Infection – Blocked by Day Limit

This week while working on a compromised site, I found an interesting variation of the Blackhole injection. We work with many sites injected with Blackhole, like this one:

blackhole-injection

However, on this specific site, instead of the common injection we were expecting, there was an uncommon error:

Screen Shot 2013-09-24 at 1.11.35 PM

It seems the attackers server reached its daily limited and was blocked. This is what was showing up on the compromised site:

Screen Shot 2013-09-24 at 1.11.46 PM

Where it was injected

The code was injected in some of the usual places we find when dealing with Blackhole injection cleanup. In this case, they hit header.php files inside of WordPress themes:

Screen Shot 2013-09-24 at 1.11.56 PM

Very simple, but it can break your website.

This article was also posted on Sucuri Blog.