List of Domains Hosting Webshells for Timthumb Attacks

We have been tracking TimThumb related attacks for a while and they are still at full force (yes, some people are still using the outdated versions and getting compromised).

Just for the month of May, we identified more than 400 domains hosting backdoors for those type of attacks and a botnet with more than 1,000 IP addresses scanning sites that might be vulnerable to it.

If you like to look at your logs, that’s how it would look like: – – [31/May/2012:03:55:35 +0000] “GET /wp-content/themes/vibrantcms/thumb.php?src= HTTP/1.1″ 404 9347 “-” “”

or – – [31/May/2012:03:45:50 +0000] “GET //wp-content/themes/Quadro/timthumb.php?src= HTTP/1.1″ 404 305 “-” “”

Basically searching for hundreds of themes per site that could have the old timthumb.php enabled and attempting to insert the backdoors from and on it.

The full list of domains hosting the backdoor is on our labs post:

List of domains hosting webshells for Timthumb attacks

and the list of IP addresses there too:

List of IP addresses scanning for vulnerable timthumb .

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site or on Twitter: @danielcid

  • Guest

    Okay, one of my server’s IP is listed and it belongs to a shared hosting server. I can find numerous logs with hits from other IPs and its own….

    This might be a stupid question… but how do I track down the webshell script that is scanning? 

    • Peter Abraham does a reasonable job.  If you are comfortable with Clam Anti-Virus, turn on the ability to detect possible unwanted applications (PUA) and scan with Clam Anti-Virus.

      Spot checking directories that malware likes to hide in such as /tmp, /var/tmp, /dev/shm and the like can often end up finding the malware.

      In terms of end user sites, pay careful attention to any directory with 777 permissions or any files with >= 666 permissions or files and folders owned by the web server (i.e. httpd / apache/ nobody).

      And… you can always hire Sucuri to help you.

  • Peter Abraham

    Great work!  I wrote with the hope to encourage security and system admins to benefit from your work.

Share This