The Latest in IT Security

Mass infection of WordPress sites ( counter-wordpress.com )

23
Aug
2011


Many people are asking us about this “counter-wordpress.com” type of malware, so we will post some details here. Our scanner has been identifying it for a while, so if you think your site is compromised, just check it in there.

So first, to make things clear, this is happening on sites with the vulnerable timthumb.php script on them. You have to make sure that none of your themes or plugins have it in there. You can get more information here on how to verify it: http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html. This is not a vulnerability on WordPress.

Understanding the problem

Since the vulnerability on timthumb was released (0-day), we started to see many scans on our logs looking for that script. Once it is found, the attackers will do many things:

  1. Insert backdoors on your site (generally the Filesman one). This is how it looks like:
  2. <?php $auth_pass = “47a85″.”6c68″.”e623468d84123?.”e87881d1e3?;$color = “#df5?;$default_action = “File”.’sMa’.’n’;$default_use_ajax = true;$default_charset = ‘Windows-‘.’1251’;.

  3. Once the backdoor is in there, they will use that to compromise the site and insert malware. We are seeing many javascript files modified (l10n.js and jquery.js) with something like that:

    var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63..
    \x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37..
    eval (function (_0x2f46x1,_0x2f46x2,..

    And this code actually creates a hidden remote call to counter-wordpress.com, global-traff.com or newportalse.com to try to infect everyone visiting your site.

  4. As part of the attack, we are also seeing many .htaccess modifications to redirect search engine bots to some russian sites. We posted some details here. These are some of the domains that your site gets redirected:

    http://safenesscontent.ru/s4one/index.php

    http://programmpower.ru/force/index.php

    http://securitygeneration.ru/keys/index.php

    http://safenesscontent.ru/s4one/index.php

    http://allowcompany.ru/new/index.php

    http://securityinternet.ru/upgrade/index.php

    http://generation-internet.ru/pcollection/index.php

    http://allowupdate.ru/source/index.php

  5. The first attacks would also include a remote javascript to superpuperdomain.com and superpuperdomain2.com. But we are not seeing those often anymore.

How many sites are compromised?

Google just started to blacklist sites and the counter-wordpress.com caused more than 2k sites to get blacklisted so far:

Yes, this site has hosted malicious software over the past 90 days. It infected 2199 domain(s), including findto.us/, streamingmegavideo.tv/, phanmemblackberry.com/.

However, one our free scanner, the numbers are much higher. We identified 16,010 sites with that malware just in the last few days. And those are people that went out of their way to use our scanner.

Getting clean

There are a few things you need to do to get your site clean (note, we recommend using Firefox with noscript while working on a compromised site):

  1. Update or delete your timthumb.php script, update WordPress and all themes and plugins.
  2. Remove the malicious code from the javascript files. If you removed and are still seeing the warning, make sure to clear your browser cache.
  3. Clear your .htaccess files
  4. Search and remove those backdoors. Look for that filesman code, for base64 calls and things like that.
  5. Scan your site to see if we still find anything wrong: http://sitecheck.sucuri.net

If you need professional help, we can also do it for you (we guarantee our work for 1 year): http://sucuri.net/signup

  1. rave January 6, 2012

    Very thanks budy!!!

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments