Mass Infection of WordPress Sites Due to TimThumb ( counter-wordpress dot com )

  • August 23, 2011

Many people are asking us about this “counter-wordpress.com” type of malware, so we will post some details here. Our scanner has been identifying it for a while, so if you think your site is compromised, just check it in there.

So first, to make things clear, this is happening on sites that include the vulnerable timthumb.php script on them. You have to make sure that none of your themes or plugins are vulnerable. You can get more information here on how to verify it: TimThumb PHP Vulnerability – Just the Tip of the Iceberg. This is not a vulnerability on WordPress.

Understanding the problem

Since the vulnerability on TimThumb was released (0-day), we started to see many scans in our logs looking for that script. Once it is found, the attackers will do many things:

  1. Insert backdoors on your site (generally one coined FilesMan). This is how it looks like:

    2. <?php $auth_pass = “47a85″.”6c68”.”e623468d84123″.”e87881d1e3″;$color = “#df5″;$default_action = “File”.’sMa’.’n’;$default_use_ajax = true;$default_charset = ‘Windows-’.’1251′;…

  2. Once the backdoor is in there, they will use that to compromise the site and insert malware. We are seeing many JavaScript files modified (l10n.js and jquery.js) with something like this:

    var _0x4de4=["x64x20x35x28x29x7Bx62x20x30x3Dx32x2Ex63..
    x28x22x33x22x29x3Bx32x2Ex39x2Ex36x28x30x29x3Bx30x2Ex37..
    eval (function (_0x2f46x1,_0x2f46x2,..

    This code actually creates a hidden remote call to counter-wordpress.com, global-traff.com or newportalse.com to try to infect everyone visiting your site.

  3. As part of the attack, we are also seeing many .htaccess modifications to redirect search engine bots to some Russian sites. We posted some details here. These are some of the domains that your site gets redirected:

    http://safenesscontent.ru/s4one/index.php
    http://programmpower.ru/force/index.php
    http://securitygeneration.ru/keys/index.php
    http://safenesscontent.ru/s4one/index.php
    http://allowcompany.ru/new/index.php
    http://securityinternet.ru/upgrade/index.php
    http://generation-internet.ru/pcollection/index.php
    http://allowupdate.ru/source/index.php

  4. The first attacks would also include a remote JavaScript to superpuperdomain.com and superpuperdomain2.com, but we are not seeing those often anymore.

How many sites are compromised?

Google just started to blacklist some of these sites, and counter-wordpress.com has caused more than 2k sites to be blacklisted so far:

Yes, this site has hosted malicious software over the past 90 days. It infected 2199 domain(s), including findto.us/, streamingmegavideo.tv/, phanmemblackberry.com/.

However, on our free scanner, the numbers are much higher. We’ve identified 16,010 sites with that malware just in the last few day, and these numbers are from people that went out of their way to use our scanner.

Getting clean

There are a few things you need to do to get your site clean (note, we recommend using Firefox with NoScript while working on a compromised site):

  1. Update or delete your timthumb.php script, update WordPress and all themes and plugins.
  2. Remove the malicious code from the JavaScript files. If you removed and are still seeing the warning, make sure to clear your browser cache.
  3. Clear your .htaccess files
  4. Search and remove those backdoors. Look for that FilesMan code, for base64 calls, and things like that.
  5. Scan your site to see if we still find anything wrong: Sucuri SiteCheck

If you need professional help, we can also do it for you (we guarantee our work for 1 year): Sucuri Signup

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
29 comments

  2. my cousin runs his site thru wordpress.  www.resboot.com  everytime i access it from facebook, it redirects me to this russian  “http://allowcompany.ru/new/index.php” site. With about an extra 30 secs of lag.

    But when i goto type it in manually, it takes me directly there with zero lag.

    correction – until now… now a manual entry of resboot.com redirects me to the russian site

  3. Pingback: [WordPress] Timthumb Security Vulnerability | Luís Ramalho
  4. Pingback: Going, Going, Gone » The Gaytheist Agenda
  6. Pingback: Vulnerabilidade no Timthumb expôe sites em Wordpress a malware | Noxion

  7. i really want to thank you sucuri you are currently the only website taking care of this massive infection. It almost breaks my business. I want to add that TODAY i noticed the attacked again, now check your wp-config  file, theres some extra lines there. It’s unexplainable how they infected me again after reinstalling all and changing passwords, i must have some code on my templates

    1. What lines were added?  The timestamps on my wp-config files looked suspect, but I couldn’t find anything suspicious in the actual file.

  8. Pingback: I Was Hacked! (counter-wordpress.com and TimThumb PHP) | Tarraguña's Blog
  9. Pingback: SOBRE O PERÍODO DE INATIVIDADE | Blog do Pelegrini

  10. The scanner isn’t picking up counter-wordpress.com at all http://donotargue.com/note/we-are-under-attack/ I have been trying to figure out where it’s hiding for about one week now with no luck. Your scanner shows my site all green eg: No problems.

  11. Pingback: Hospedaria 42 » Infecção em massa de sites com Wordpress (counter-wordpress.com)
  12. Pingback: [Custom Rom] MIUI Defy Pikachu Edition *immer Up-To-Date* - Seite 265 - Android-Hilfe.de

  13. Anyone have any clue why I’m getting a redirect to one of these addresses – http://generation-internet.ru/pcollection/index.php – in my admin panel? It’s when I click on “themes” in my WordPress admin. No one else on another computer can reproduce the redirect. I’ve done every malware scan in the world, had one program find something and get rid of it, I thought I deleted all my caches, everything. Reinstalled WordPress and all files except content. Now my scans are running clean but I’m still getting it. No redirect on google or anything for the actual site itself either.

  14. Pingback: Blog Is Kicking After One Month In Hell | Speedrider Networks

  15. I just was a victim of this attack. They used a file in my custom theme folder call backwp.php, which I removed. I then had to reinstall WordPress though the update section in the WordPress Dashboard. 

    This attack has some some serious damage to my search engine results, taking down close to six months of work to move the site up and ranking for our companies keywords. Who knows how long it will take to restore our rankings. Best of luck to everyone else. 

  16. Anyone know how to determine if a server is doing the actual scanning? meaning, how to identify if a bot is installed onto an apache server that might be scanning/looking for vulnerable timethumb.php files elsewhere?

  17. Pingback: Up and Running (finally) | JonJolly.com

  20. Brilliant.  Careless programming has given the script kiddies yet another vulnerability to exploit.

  22. Pingback: Web Security is an Important Issue for Recruiting Firms | JPKreiss Executive Search
  26. Pingback: WordPress Timthumb-Schwachstelle - rambox.at
  27. Pingback: Blogger's Weekly | Secure steps to take with latest Wordpress attacks (Part One) | Blogger's Weekly

Comments are closed.

Related Categories
You May Also Like