Here’s another round of infections from the timthumb.php vulnerability.
This time the hackers have registered a new domain: googlesafebrowsing.com (on August 17, 2011) and they are utilizing the timthumb.php and thumb.php files to infect websites.
In the header.php file, we’re finding code that begins with:
and continues down to:
if ( strpos ( $doms, ’||’ ) === false )
$domains = explode ( ’||’, trim ( $doms ) );
return $domains[array_rand ( $domains )];
This is a dynamic piece of code in that it pulls a new domain from googlesafebrowsing.com/remoted.cc.txt and inserts it into an iframe that's embedded in a section of code that appears on your website. Most of the iframes have .us.to/kwizhveo.php in the URL.
What we recommend is that your use a safe FTP program like WS_FTP by Ipswitch, login to your website and search the wp-content/themes folder for any instances of timthumb.php or thumb.php. When you find one, rename it by adding .orig to the end of it. That way after adding the new file and testing, if your site doesn't work, you can always move back to the original (.orig) by deleting the new file and renaming the original by taking the .orig extension off.
If you have the thumb.php version it's normally about 18kb in size. If you want to make that file safe without replacing it, download it to your computer and open it with an editor.
If you see that code, then your site is already infected and should be thoroughly cleaned. You should call us: (847)728-0214 or email: email@example.com
However, if you don't see that code and want to modify your existing thumb.php file, scroll down to a section that looks like:
Change that by deleting the websites listed: flickr.com, picasa.com, etc.
When you're finished it should look like:
The above steps will keep your site safe from the timthumb.php and thumb.php type of infections on your WordPress website - if you haven't had your WordPress site infected already.