Mass Infection of WordPress Sites Due to TimThumb ( counter-wordpress dot com )

Many people are asking us about this “counter-wordpress.com” type of malware, so we will post some details here. Our scanner has been identifying it for a while, so if you think your site is compromised, just check it in there.

So first, to make things clear, this is happening on sites that include the vulnerable timthumb.php script on them. You have to make sure that none of your themes or plugins are vulnerable. You can get more information here on how to verify it: TimThumb PHP Vulnerability – Just the Tip of the Iceberg. This is not a vulnerability on WordPress.

Understanding the problem

Since the vulnerability on TimThumb was released (0-day), we started to see many scans in our logs looking for that script. Once it is found, the attackers will do many things:

  1. Insert backdoors on your site (generally one coined FilesMan). This is how it looks like:
  2. <?php $auth_pass = “47a85″.”6c68″.”e623468d84123″.”e87881d1e3″;$color = “#df5″;$default_action = “File”.’sMa’.’n’;$default_use_ajax = true;$default_charset = ‘Windows-’.’1251′;…

  3. Once the backdoor is in there, they will use that to compromise the site and insert malware. We are seeing many JavaScript files modified (l10n.js and jquery.js) with something like this:

    var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63..
    \x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37..
    eval (function (_0x2f46x1,_0x2f46x2,..

    This code actually creates a hidden remote call to counter-wordpress.com, global-traff.com or newportalse.com to try to infect everyone visiting your site.

  4. As part of the attack, we are also seeing many .htaccess modifications to redirect search engine bots to some Russian sites. We posted some details here. These are some of the domains that your site gets redirected:

    http://safenesscontent.ru/s4one/index.php

    http://programmpower.ru/force/index.php

    http://securitygeneration.ru/keys/index.php

    http://safenesscontent.ru/s4one/index.php

    http://allowcompany.ru/new/index.php

    http://securityinternet.ru/upgrade/index.php

    http://generation-internet.ru/pcollection/index.php

    http://allowupdate.ru/source/index.php

  5. The first attacks would also include a remote JavaScript to superpuperdomain.com and superpuperdomain2.com, but we are not seeing those often anymore.

How many sites are compromised?

Google just started to blacklist some of these sites, and counter-wordpress.com has caused more than 2k sites to be blacklisted so far:

Yes, this site has hosted malicious software over the past 90 days. It infected 2199 domain(s), including findto.us/, streamingmegavideo.tv/, phanmemblackberry.com/.

However, on our free scanner, the numbers are much higher. We’ve identified 16,010 sites with that malware just in the last few day, and these numbers are from people that went out of their way to use our scanner.

Getting clean

There are a few things you need to do to get your site clean (note, we recommend using Firefox with NoScript while working on a compromised site):

  1. Update or delete your timthumb.php script, update WordPress and all themes and plugins.
  2. Remove the malicious code from the JavaScript files. If you removed and are still seeing the warning, make sure to clear your browser cache.
  3. Clear your .htaccess files
  4. Search and remove those backdoors. Look for that FilesMan code, for base64 calls, and things like that.
  5. Scan your site to see if we still find anything wrong: Sucuri SiteCheck

If you need professional help, we can also do it for you (we guarantee our work for 1 year): Sucuri Signup

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.