The Latest in IT Security

WordPress Sites Hacked with


A few days ago we posted about a series of attacks that were happening against WordPress sites running the vulnerable timthumb.php script.

We detected thousands of sites compromised with it and now are are seeing a small change in the malware. Instead of, the malware is now pointing to a remote javascript from (see extra 2 in there). This is what it shows up in the compromised sites:

<script language="javascript" SRC=""

That is code is generated by an echo statement hidden within one of the WordPress core files and is always accompanied of multiple backdoors and even .htaccess redirections (to and other russian sites).

Both domains were registered by Archil Karsaulidze (probably fake) and are pointing to

Archil Karsaulidze [email protected]
+74957261532 fax: +74957261532
Novopeschanaya, 3-28
Moscow Moscowscaya Oblast 107263

How are the sites getting compromised?

On the sites we’ve analyzed, they were hacked through the timthumb.php vulnerability that was published a few days ago. The attackers are also creating a bunch of backdoors to maintain their access to the hacked sites.

If you are using the timthumb.php scripts, remove or update it now!.

Keeping yourself secure

This is not a vulnerability in WordPress, it is a vulnerability found in various WordPress themes that include TimThumb! You have to make sure that you are using an updated theme, and from a legitimate source. Otherwise your theme may contain this vulnerability, or others (even backdoors), that may not be given the proper attention by their theme authors.

If you’re not sure, you can do a free scan of your site using Sucuri SiteCheck

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments

Social Networks