Websites infected with googlesafebrowsing.com/kwizhveo.php

Here’s another round of infections from the timthumb.php vulnerability.

This time the hackers have registered a new domain: googlesafebrowsing.com (on August 17, 2011) and they are utilizing the timthumb.php and thumb.php files to infect websites.

In the header.php file, we’re finding code that begins with:

and continues down to:

if ( strpos ( $doms, ’||’ ) === false )
return false;
$domains = explode ( ’||’, trim ( $doms ) );
return $domains[array_rand ( $domains )];
}
?>

This is a dynamic piece of code in that it pulls a new domain from googlesafebrowsing.com/remoted.cc.txt and inserts it into an iframe that's embedded in a section of code that appears on your website. Most of the iframes have .us.to/kwizhveo.php in the URL.

You really should search your themes for any instance of timthumb.php or thumb.php and get the updated file: and replace the existing one.

What we recommend is that your use a safe FTP program like WS_FTP by Ipswitch, login to your website and search the wp-content/themes folder for any instances of timthumb.php or thumb.php. When you find one, rename it by adding .orig to the end of it. That way after adding the new file and testing, if your site doesn't work, you can always move back to the original (.orig) by deleting the new file and renaming the original by taking the .orig extension off.

If you have the thumb.php version it's normally about 18kb in size. If you want to make that file safe without replacing it, download it to your computer and open it with an editor.

Before you make any other changes check the file for code that looks like this:
infected thumb.php file

If you see that code, then your site is already infected and should be thoroughly cleaned. You should call us: (847)728-0214 or email: support@wewatchyourwebsite.com

However, if you don't see that code and want to modify your existing thumb.php file, scroll down to a section that looks like:

thumb file allowedSites

Change that by deleting the websites listed: flickr.com, picasa.com, etc.

When you're finished it should look like:

modified thumb.php allowedSites

The above steps will keep your site safe from the timthumb.php and thumb.php type of infections on your WordPress website - if you haven't had your WordPress site infected already.