Monthly Archives: August 2011

Websites infected with googlesafebrowsing.com/kwizhveo.php

Here’s another round of infections from the timthumb.php vulnerability.

This time the hackers have registered a new domain: googlesafebrowsing.com (on August 17, 2011) and they are utilizing the timthumb.php and thumb.php files to infect websites.

In the header.php file, we’re finding code that begins with:

if ( !is_user_logged_in() && !isset ( $_COOKIE['MTPT'] ) ) {

and continues down to:

if ( strpos ( $doms, ’||’ ) === false )
return false;
$domains = explode ( ’||’, trim ( $doms ) );
return $domains[array_rand ( $domains )];
}
?>

This is a dynamic piece of code in that it pulls a new domain from googlesafebrowsing.com/remoted.cc.txt and inserts it into an iframe that's embedded in a section of code that appears on your website. Most of the iframes have .us.to/kwizhveo.php in the URL.

You really should search your themes for any instance of timthumb.php or thumb.php and get the updated file: and replace the existing one.

What we recommend is that your use a safe FTP program like WS_FTP by Ipswitch, login to your website and search the wp-content/themes folder for any instances of timthumb.php or thumb.php. When you find one, rename it by adding .orig to the end of it. That way after adding the new file and testing, if your site doesn't work, you can always move back to the original (.orig) by deleting the new file and renaming the original by taking the .orig extension off.

If you have the thumb.php version it's normally about 18kb in size. If you want to make that file safe without replacing it, download it to your computer and open it with an editor.

Before you make any other changes check the file for code that looks like this:
infected thumb.php file

If you see that code, then your site is already infected and should be thoroughly cleaned. You should call us: (847)728-0214 or email: support@wewatchyourwebsite.com

However, if you don't see that code and want to modify your existing thumb.php file, scroll down to a section that looks like:

thumb file allowedSites

Change that by deleting the websites listed: flickr.com, picasa.com, etc.

When you're finished it should look like:

modified thumb.php allowedSites

The above steps will keep your site safe from the timthumb.php and thumb.php type of infections on your WordPress website - if you haven't had your WordPress site infected already.

1see.ir/j/ script injections

This infection has been happening for about 10 days already, but we’ve been so busy cleaning them that we haven’t had time to write about it.

We’ve been seeing the following script:

1see.ir script injection

usually in the meta tag section of the infected website’s pages. It appears multiple times.

The domain: 1see.ir is not currently listed as suspicious by Google:

1see.ir website infection

Yet a Google search shows about 78,000 listings. Some of these are reports of the infection and not necessarily infected websites:

1see.ir website infection search results

This is affecting osCommerce based websites that are not properly protected. Protecting osCommerce sites is something we do extremely well. If your site has been infected by this, please contact us and we can clean this, remove all backdoors and secure your website from future infections.

You can’t just remove this infection and think you’re safe. We’ve been seeing extra entries in the admin table. These are accounts hackers have inserted into your site so they maintain control over your site. There have also been many, many different backdoor shell scripts as well.

Let’s get this cleaned up.

Contact me at: traef@wewatchyourwebsite.com or (847)728-0214.

If you have questions or comments please comment below.

Thank you.

Willysy.com infection changes to tiasissi.com.br

As you may know from our previous posts, we’ve been watching the willysy.com infection of millions of e-commerce websites over the past few weeks.

Now, it appears that many of these are still infected and the hackers have now changed the infection to:

hxxp://tiasissi. com .br/revendedores/jquery

What’s really frustrating from our perspective, is that these are so easy to prevent. To date, we’ve cleaned 1,179 of these infections and no repeat infections – our methods work!

With the willysy infections we’ve seen many entries in the admin section of the osCommerce database which shows that the hackers have taken total control of these websites and this is just the infectious code they prefer to use for now.

There are many different backdoor shell scripts the hackers are installing on these websites and code inserted into the payment processing files that allow the hackers to steal the credit card information as it gets processed.

This is all cleanable and prevention is quite easy.

Contact us to have your website cleaned or email me at: traef@wewatchyourwebsite.com

If you have questions about this, please leave a comment. We’ll respond promptly.

Thank you.

TimThumb WordPress Plugin Leads to Hacked Websites

The WordPress Plugin TimThumb which is primarily used in themes as an image resizing tool, was found to be vulnerable to an attack that could be classified as a remote file inclusion exploit.

TimThumb allows an attacker to retrieve a remote file and saves it to directory that is accessible via a browser. Mark Maunder who is CEO of technology firm Feedjit, based in Seattle, found out the hard way about this vulnerability when his own blog: markmaunder.com was infected by this.

He has provided a good detailed description, for those of you who are technically oriented, on his blog at:

It’s also been reported that the developer of the plugin had his own blog infected via this vulnerability. To his credit, he has been extremely busy in fixing this and has definitely shown responsibility in this matter.

The fix that Mark has suggested is this:

  1. Edit timthumb.php
  2. Scroll down to line 27 where it starts: $allowedSites = array(
  3. Remove all the sites like “blogger.com” and “flickr.com”
  4. After removing the sites your line should look like: $allowedSites = array();

Save the file and you’re finished. Keep in mind this is for version 1.33. If you’re running an older version, you’ll have to contact the Theme developer and ask them for an update.

Our research shows that some themes use this plugin but the file is not named timthumb.php it could be named:

  • thumb.php
  • resizer.php
  • crop.php
  • cropper.php
  • and various similar names

Search your files for all these names just to be sure you find it.

If you see a folder/directory named “cache” in your wp-content folder or any of it’s sub-folders, you can add this .htaccess file there which will block running any .php files. Quick backstep: this is typically where this plugin stores the files that a hacker may have uploaded. So even if a hacker were to upload the files to that folder, they cannot run them.

.htaccess:

RewriteEngine On


Order Deny,Allow
Deny from all
Allow from localhost

Please post a comment here if you’re having issues with this, or for that matter, any other security related issues.

Thank you.