Many people are asking us about this “counter-wordpress.com” type of malware, so we will post some details here. Our scanner has been identifying it for a while, so if you think your site is compromised, just check it in there.
So first, to make things clear, this is happening on sites that include the vulnerable timthumb.php script on them. You have to make sure that none of your themes or plugins are vulnerable. You can get more information here on how to verify it: TimThumb PHP Vulnerability – Just the Tip of the Iceberg. This is not a vulnerability on WordPress.
Understanding the problem
Since the vulnerability on TimThumb was released (0-day), we started to see many scans in our logs looking for that script. Once it is found, the attackers will do many things:
- Insert backdoors on your site (generally one coined FilesMan). This is how it looks like:
eval (function (_0x2f46x1,_0x2f46x2,..
This code actually creates a hidden remote call to counter-wordpress.com, global-traff.com or newportalse.com to try to infect everyone visiting your site.
- As part of the attack, we are also seeing many .htaccess modifications to redirect search engine bots to some Russian sites. We posted some details here. These are some of the domains that your site gets redirected:
<?php $auth_pass = “47a85″.”6c68”.”e623468d84123″.”e87881d1e3″;$color = “#df5″;$default_action = “File”.’sMa’.’n’;$default_use_ajax = true;$default_charset = ‘Windows-’.’1251′;…
How many sites are compromised?
Google just started to blacklist some of these sites, and counter-wordpress.com has caused more than 2k sites to be blacklisted so far:
Yes, this site has hosted malicious software over the past 90 days. It infected 2199 domain(s), including findto.us/, streamingmegavideo.tv/, phanmemblackberry.com/.
However, on our free scanner, the numbers are much higher. We’ve identified 16,010 sites with that malware just in the last few day, and these numbers are from people that went out of their way to use our scanner.
There are a few things you need to do to get your site clean (note, we recommend using Firefox with NoScript while working on a compromised site):
- Update or delete your timthumb.php script, update WordPress and all themes and plugins.
- Clear your .htaccess files
- Search and remove those backdoors. Look for that FilesMan code, for base64 calls, and things like that.
- Scan your site to see if we still find anything wrong: Sucuri SiteCheck
If you need professional help, we can also do it for you (we guarantee our work for 1 year): Sucuri Signup