Kimberly from Stopmalvertising found the Blackhole Exploit Kit on the Website of the very popular Webserver software site known as WampServer. WampServer is an package of web components bundled together for windows users, the name comes from the package of software (Windows, Apache, MySQL, PHP).
Once the script was decoded they found an iframe leading to vc-business.com/in.php. According to the analysis of this, if a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 220.127.116.11/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 18.104.22.168 has been listed as distributing the ZeroAccess rootkit.
Another attack by Blackhole Exploit was discovered in thousands of WordPress websites that use a popular non-updated TimThumb image tool. Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the sites. But this is not the only way the attack was successful. Another vector was to use stolen passwords to direct FTP changes. In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js