Many people are asking us about this “counter-wordpress.com” type of malware, so we will post some details here. Our scanner has been identifying it for a while, so if you think your site is compromised, just check it in there.
So first, to make things clear, this is happening on sites with the vulnerable timthumb.php script on them. You have to make sure that none of your themes or plugins have it in there. You can get more information here on how to verify it: http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html. This is not a vulnerability on WordPress.
Understanding the problem
Since the vulnerability on timthumb was released (0-day), we started to see many scans on our logs looking for that script. Once it is found, the attackers will do many things:
- Insert backdoors on your site (generally the Filesman one). This is how it looks like:
eval (function (_0x2f46x1,_0x2f46x2,..
And this code actually creates a hidden remote call to counter-wordpress.com, global-traff.com or newportalse.com to try to infect everyone visiting your site.
- As part of the attack, we are also seeing many .htaccess modifications to redirect search engine bots to some russian sites. We posted some details here. These are some of the domains that your site gets redirected:
<?php $auth_pass = “47a85″.”6c68″.”e623468d84123?.”e87881d1e3?;$color = “#df5?;$default_action = “File”.’sMa’.’n’;$default_use_ajax = true;$default_charset = ‘Windows-‘.’1251’;.
How many sites are compromised?
Google just started to blacklist sites and the counter-wordpress.com caused more than 2k sites to get blacklisted so far:
Yes, this site has hosted malicious software over the past 90 days. It infected 2199 domain(s), including findto.us/, streamingmegavideo.tv/, phanmemblackberry.com/.
However, one our free scanner, the numbers are much higher. We identified 16,010 sites with that malware just in the last few days. And those are people that went out of their way to use our scanner.
There are a few things you need to do to get your site clean (note, we recommend using Firefox with noscript while working on a compromised site):
- Update or delete your timthumb.php script, update WordPress and all themes and plugins.
- Clear your .htaccess files
- Search and remove those backdoors. Look for that filesman code, for base64 calls and things like that.
- Scan your site to see if we still find anything wrong: http://sitecheck.sucuri.net
If you need professional help, we can also do it for you (we guarantee our work for 1 year): http://sucuri.net/signup
Leave a reply