Many people are asking us about this “counter-wordpress.com” type of malware, so we will post some details here. Our scanner has been identifying it for a while, so if you think your site is compromised, just check it in there.
So first, to make things clear, this is happening on sites that include the vulnerable timthumb.php script on them. You have to make sure that none of your themes or plugins are vulnerable. You can get more information here on how to verify it: TimThumb PHP Vulnerability – Just the Tip of the Iceberg. This is not a vulnerability on WordPress.
Understanding the problem
Since the vulnerability on TimThumb was released (0-day), we started to see many scans in our logs looking for that script. Once it is found, the attackers will do many things:
- Insert backdoors on your site (generally one coined FilesMan). This is how it looks like:
- Once the backdoor is in there, they will use that to compromise the site and insert malware. We are seeing many JavaScript files modified (l10n.js and jquery.js) with something like this:
var _0x4de4=["x64x20x35x28x29x7Bx62x20x30x3Dx32x2Ex63..
x28x22x33x22x29x3Bx32x2Ex39x2Ex36x28x30x29x3Bx30x2Ex37..
eval (function (_0x2f46x1,_0x2f46x2,..This code actually creates a hidden remote call to counter-wordpress.com, global-traff.com or newportalse.com to try to infect everyone visiting your site.
- As part of the attack, we are also seeing many .htaccess modifications to redirect search engine bots to some Russian sites. We posted some details here. These are some of the domains that your site gets redirected:
http://safenesscontent.ru/s4one/index.php
http://programmpower.ru/force/index.php
http://securitygeneration.ru/keys/index.php
http://safenesscontent.ru/s4one/index.php
http://allowcompany.ru/new/index.php
http://securityinternet.ru/upgrade/index.php
http://generation-internet.ru/pcollection/index.php
http://allowupdate.ru/source/index.php - The first attacks would also include a remote JavaScript to superpuperdomain.com and superpuperdomain2.com, but we are not seeing those often anymore.
<?php $auth_pass = “47a85″.”6c68”.”e623468d84123″.”e87881d1e3″;$color = “#df5″;$default_action = “File”.’sMa’.’n’;$default_use_ajax = true;$default_charset = ‘Windows-’.’1251′;…
How many sites are compromised?
Google just started to blacklist some of these sites, and counter-wordpress.com has caused more than 2k sites to be blacklisted so far:
Yes, this site has hosted malicious software over the past 90 days. It infected 2199 domain(s), including findto.us/, streamingmegavideo.tv/, phanmemblackberry.com/.
However, on our free scanner, the numbers are much higher. We’ve identified 16,010 sites with that malware just in the last few day, and these numbers are from people that went out of their way to use our scanner.
Getting clean
There are a few things you need to do to get your site clean (note, we recommend using Firefox with NoScript while working on a compromised site):
- Update or delete your timthumb.php script, update WordPress and all themes and plugins.
- Remove the malicious code from the JavaScript files. If you removed and are still seeing the warning, make sure to clear your browser cache.
- Clear your .htaccess files
- Search and remove those backdoors. Look for that FilesMan code, for base64 calls, and things like that.
- Scan your site to see if we still find anything wrong: Sucuri SiteCheck
If you need professional help, we can also do it for you (we guarantee our work for 1 year): Sucuri Signup
29 comments
At this point, I’ve been telling people to DELETE everything except uploads and go fresh install. Once the bloody thing is in your server, you have to kill it with fire.
right, http://www.oddarena.blogspot.com
my cousin runs his site thru wordpress. www.resboot.com everytime i access it from facebook, it redirects me to this russian “http://allowcompany.ru/new/index.php” site. With about an extra 30 secs of lag.
But when i goto type it in manually, it takes me directly there with zero lag.
correction – until now… now a manual entry of resboot.com redirects me to the russian site
Thanks for all you help. Now waiting on Google to take my site off of the blacklist.
i really want to thank you sucuri you are currently the only website taking care of this massive infection. It almost breaks my business. I want to add that TODAY i noticed the attacked again, now check your wp-config file, theres some extra lines there. It’s unexplainable how they infected me again after reinstalling all and changing passwords, i must have some code on my templates
What lines were added? The timestamps on my wp-config files looked suspect, but I couldn’t find anything suspicious in the actual file.
The scanner isn’t picking up counter-wordpress.com at all http://donotargue.com/note/we-are-under-attack/ I have been trying to figure out where it’s hiding for about one week now with no luck. Your scanner shows my site all green eg: No problems.
Anyone have any clue why I’m getting a redirect to one of these addresses – http://generation-internet.ru/pcollection/index.php – in my admin panel? It’s when I click on “themes” in my WordPress admin. No one else on another computer can reproduce the redirect. I’ve done every malware scan in the world, had one program find something and get rid of it, I thought I deleted all my caches, everything. Reinstalled WordPress and all files except content. Now my scans are running clean but I’m still getting it. No redirect on google or anything for the actual site itself either.
I just was a victim of this attack. They used a file in my custom theme folder call backwp.php, which I removed. I then had to reinstall WordPress though the update section in the WordPress Dashboard.
This attack has some some serious damage to my search engine results, taking down close to six months of work to move the site up and ranking for our companies keywords. Who knows how long it will take to restore our rankings. Best of luck to everyone else.
Anyone know how to determine if a server is doing the actual scanning? meaning, how to identify if a bot is installed onto an apache server that might be scanning/looking for vulnerable timethumb.php files elsewhere?
Nice Post Its very useful for me. keep posting.. 🙂
Learn PHP
Ehh… today I must fight with this too… keep your thumbs for this!
Brilliant. Careless programming has given the script kiddies yet another vulnerability to exploit.
Had the same security issue at the beginning of December 2011. Very insightful!
I wrote a script that helps to remove that malicious js code – perhaps you find it useful: http://wordpresskeeper.com/knowledgebase/remove-mwjs2368-malware-from-your-wordpress/
face the same problem.. thanks for the information..
thank you so much!
http://eratown.vn
Comments are closed.