Malware file in Blackhole for Bad Bots plugin

  • Godaddy sent me a notification of a malware file within the WordPress Blackhole For Bad Bots plugin. Love the plugin but that was a little strange. I removed the file so we’ll see if it affects the plugin performance.

    • This topic was modified 1 year, 10 months ago by ajnay.
Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author Jeff Starr

    (@specialk)

    Hi @ajnay,

    I take security very seriously. In order for this report to have any credibility, please let me know the following:

    1) What is the name/location of the “malware file”?

    2) And what specifically did Godaddy have to say about it?

    Thread Starter ajnay

    (@ajnay)

    Sure thing. I spoke directly to Godaddy and they walked me through how to remove the file.

    Here’s the entire message with my website xxxxxx’d out for obvious reasons:

    Your services for xxxxxxxxxxx.com are at risk of being suspended.

    Your xxxxxxxx.com domain name was found to contain viruses or content that violates our Universal Terms of Service. Due to the serious nature of this issue, you have 72 hours to take action. If any viruses or content that violates our Universal Terms of Service remains on your site after that time, it may become necessary to suspend our services.If you require assistance with this, please see the?following instructions.

    To get you started, we have provided an example of the content accessible at the following location:

    wp-content/themes/uncode/library/js/plugins.js

    To prevent future compromise, we recommend you:

    ?Reset all account passwords, e.g. FTP, applications, and databases

    ?Ensure your computers are free of viruses, trojans, key loggers, and other malware

    ?Keep up to date on all web applications, e.g. WordPress, Joomla, etc

    ?Keep up to date on all themes, plugins, and extensions

    If you have any questions or concerns, please contact customer support using the help link once you have logged into your account.

    ?

    Plugin Author Jeff Starr

    (@specialk)

    Thanks.

    Where does it mention Blackhole plugin? The only file/path I can find in the report is:

    wp-content/themes/uncode/library/js/plugins.js

    ..which has nothing to do with Blackhole for Bad Bots. It looks like that is related to a theme named “uncode”.

    Thread Starter ajnay

    (@ajnay)

    Sorry wrong notification. I had two come up. Here it is:

    Your xxxxxxxxxx.com domain name was found to contain viruses or content that violates our Universal Terms of Service.

    Due to the serious nature of this issue, you have 72 hours to take action. If any viruses or content that violates our Universal Terms of Service remains on your site after that time, it may become necessary to suspend our services.

    If you require assistance with this, please see the following instructions.

    To get you started, we have provided an example of the content accessible at the following location:

    wp-content/plugins/blackhole-bad-bots/inc/blackhole-template.php

    Plugin Author Jeff Starr

    (@specialk)

    Okay thanks.

    That file contains a simple HTML template and is secure out of the box.

    In this case, it sounds like your site was compromised with payloads added to various locations (e.g., the uncode theme, blackhole template, and probably elsewhere).

    Thread Starter ajnay

    (@ajnay)

    OK I’m not a tech person and my website IT left for another job so I’m just trying to keep my site in compliance. I don’t understand what you said but thanks for the input. The plugin is working great only issue was the message from Godaddy. Thanks again.

    Plugin Author Jeff Starr

    (@specialk)

    Understood. I will try to explain a bit further..

    The issue is that your site was hacked and needs to be repaired asap. Just deleting random files is not the solution, you need to find a professional to clean things up for real. That means the actual vulnerability needs to be fixed/resolved; otherwise the attacker will continue to have open access to everything in your site and add their payload to other locations. So even if you delete uncode files, blackhole files, etc., the attacker will simply add their payload to other locations. It’s like swatting flies. You’ve got to close the gap or they will continue adding their bad codes.

    I hope this helps, @ajnay. Let me know if I can provide any further information.

    • This reply was modified 1 year, 10 months ago by Yui.
    • This reply was modified 1 year, 10 months ago by Jeff Starr.

    Just thought I’d add this: it was recently revealed that GoDaddy had been breached (3 years ago), during the time frame that the hackers had access they did indeed manage to infect numerous GoDaddy customers and site visitors with malware, it’s likely that is where the malware came from that @ajnay found.

    https://www.bleepingcomputer.com/news/security/godaddy-hackers-stole-source-code-installed-malware-in-multi-year-breach/

    • This reply was modified 1 year, 9 months ago by TrishaM. Reason: correct grammar
    Plugin Author Jeff Starr

    (@specialk)

    @trisham I was just reading that article, thank you for posting it here.

    My pleasure, I hate to see a great plugin like yours get an undeserved bad rap!

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Malware file in Blackhole for Bad Bots plugin’ is closed to new replies.