If you use WordPress you’re probably aware of the mass infection caused by a vulnerability in the timthumb.php script, a photo manipulation script included in many themes and plugins.
Sites were compromised with anything from malware to Blackhat SEO spam, to .htaccess redirections.
It would be useful to gain metrics based on the amount of sites that were truly affected, the problem is that it’s very hard to estimate how many sites were in fact compromised. 1 thousand, 100 thousand, 1 million? Who knows for sure.
We found a way to get close to the actual numbers. For the last couple of months most of the sites compromised had their wp-settings.php modified with a function to contact the URL http://18.104.22.168/bt.php for more information on what to do with the site (display malware, spam, etc). Yes, kinda like a command and control site.