The latest timthumb.php infection

We’ve been seeing, over the past week, many WordPress websites infected with this line of code:

function counter_wordpress() {$_F=__FILE__;$_X='...add_action('wp_head', 'counter_wordpress');

It’s in the wp-settings.php file and it usually has a series of blank spaces before it. You’ll find it right before the legitimate line of code:

do_action( 'init' );

This needs to be removed and you need to update all of your timthumb.php and thumb.php files. Then you’ll also have to scan your websites for backdoors.

Remember that if your WordPress site is hosted in a hosting account with many other websites in the same account, the backdoor can be in all or any of the other websites. You need to scan and clean them all.

If you need help in finding and removing this, please send us an email at:

Thank you.

And, let’s be safe out there.


More timthumb.php infections

I don’t like making every announcement of new infections regarding timthumb.php. It feels like everyone is pointing the finger at the author, but I do have to report the recent happenings, so here goes.

The latest website infections we’ve been seeing inject obfuscated script to the bottom of .html files and the index.php file.

The code looks like:

(opening script tag)String.prototype.test="harC";for(i in $='')m=$[i];var ss="";try{eval('asdas')}catch(q)...
n=[7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h...eval(ss);(closing script tag)

We usually see this at the very bottom of the file. Typically after the closing html tag in an html file.

This code deobfuscates to an iframe that includes:

As of this writing, Google does not find this URL suspicious, however:

What is the current listing status for
This site is not currently listed as suspicious.

What happened when Google visited this site?
Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-09-02, and the last time suspicious content was found on this site was on 2011-09-02.
Malicious software includes 1 trojan(s).

That is for today, September 2, 2011. Which is the same day that Google reports as the last time they found suspicious content.

Again, we’ve cleaned this on WordPress sites with vulnerable timthumb.php files. These really need to be updated.

If your website is listed as having malicious or suspicious content and it’s linked to, you might want to look for the code mentioned above.

If you need help cleaning this, please send us an email: or call us at (847)728-0214.

Have you spotted this on your website? Let us know…

By was compromised

According to the website, their website was compromised possibly by stolen login credentials. Here is what they posted on their website:

Security breach on

Earlier this month, a number of servers in the infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the infrastructure.

What happened?

Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated.
Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live.
A trojan startup file was added to the system start up scripts
User interactions were logged, as well as some exploit code. We have retained this for now.
Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If developers see this, and you don’t have Xnest installed, please investigate.
It *appears* that 3.1-rc2 might have blocked the exploit injector, we don’t know if this is intentional or a side affect of another bugfix or change.

What Has Been Done so far:

We have currently taken boxes off line to do a backup and are in the process of doing complete reinstalls.
We have notified authorities in the United States and in Europe to assist with the investigation
We will be doing a full reinstall on all boxes on
We are in the process of doing an analysis on the code within git, and the tarballs to confirm that nothing has been modified

For those of you who think that hackers aren’t trying to infect websites – all websites, think again.

Also note how they took responsibility and publicly announced what they are doing to prevent this from happening again.

How about you? What have you done to protect your websites from being infected. Infected websites affect many people – anyone who visits your website.

Let me know your thoughts on this…post a comment.