Breaking: Google starts to block hacked WordPress blogs as attack widens

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I’ve had two reports in the last 12 hours of WordPress blogs that were compromised via the Timthumb hack being listed as malware by Google. If you try to visit either site, you are confronted with the following:

 

These sites are listed with the warning that “This site may harm your computer” in Google’s search results and Google blocks access to the site with a warning forcing you to manually type the URL into your location bar if you really do want to visit the site:

One of the site owners sent me the detailed info that Google Webmaster Tools was giving her:

This malicious code is appearing intermittently on this author’s WordPress site. I’ve seen this same pattern recently in blogs I’ve repaired and the way it works is that the site is periodically downloading new PHP code from a remote site run by the attacker and re-injecting it into the wordpress code. That allows the attacker to add, remove and update whatever code he/she is executing on your blog. So they could for example update any spam links every few hours.

To prevent your site being listed as malware clean it as fast as possible

The fastest way to do this, although it doesn’t gaurantee a complete clean, is the following:

  1. Remove all old plugins and themes you aren’t using.
  2. Upgrade all your plugins and themes to the latest versions and make sure none of them use an old version of Timthumb.
  3. Clean any Timthumb cache directories.
  4. Upgrade your entire wordpress installation, even if it’s at the latest version. This overwrites all wordpress files.
  5. Search your directory tree for any remaining suspicious files that contain base64_decode wrapped in an eval() statement or URL encoded data. More info on how to do this search here. Delete any files you find. NOTE: If you don’t find any additional infected files in this step, it’s highly likely that your site is not clean. Every attack that I’ve seen so far using Timthumb gets in by uploading a file into the cache directory and then uploads an additional file into a writeable directory on the blog to ensure continued access once the cache is cleaned. Make sure you find that additional file.
  6. Make sure the only directory that is writeable in your wordpress installation is wp-content/. Directories like wp-admin and wp-includes should be read only by the web server.

If you are already listed as malware by Google, here is what to do

Clean your site using the above steps. You can find more suggestions on how to clean your site on this page.
The fastest way to get your site removed from Google’s malware list is to request a review through Google Webmaster Tools. You can find the help file on requesting a malware review on this page.
The process takes about 24 hours to get your site removed. You can find out more about Google’s Malware list and safe browsing report on this page.

 

Potential long term impact of this vulnerability

The fact that I’ve seen the same domain being used by attackers on multiple blogs suggests this attack may be partially or fully automated. The worst case scenario is that we end up with a WordPress botnet with thousands or tens of thousands of servers on high bandwidth links compromised and able to send spam emails or launch a huge DDoS attack.

Keep in mind that most botnets are compromised windows machines on relatively slow home broadband connections. Their uplink speeds are around 512kbps. These WordPress servers are on links that are a minimum of 10 Megabits per second each, so they have plenty of firepower for a coordinated attack. One WordPress server is equal to at least 20 infected PC’s in terms of pure bandwidth firepower.

 

55 thoughts on “Breaking: Google starts to block hacked WordPress blogs as attack widens

  1. As a keeper of dairy animals, I was introduced to this herb as an ally to keep my
    goats’ fertility high and their milk production generous.
    Weeds that grow on driveways and sidewalks can be burned with propane torch,
    a non-chemical method of removing unwanted weeds.

    So far, the best and most advisable way to kill weed is through organic
    weed prevention.

  2. So if you ever feel like you’re not getting the answers you need or being taken
    advantage of, you just might want to find a new cosmetic surgeon to perform your procedure.
    Of course that does not mean people who are in general healthy and
    maintain healthy lifestyle do not opt for surgical cosmetic enhancements.

    A facial treatment can guarantee you a deep cleansing better that the type of cleansing you typically
    do at home.

  3. What used to take hundreds of hours can now be done in a fraction of
    the time and with greater effectiveness. As these surgeries are very popular these
    days the fee is also a bit high for them. A very important aspect of recovering from a tummy tuck that is often forgotten until the last minute is the compression garment.

  4. I had some very good memories about that town, and somehow sensed
    this was the right thing to do – it was in that town that
    my inner child last remembered the feeling of being safe.
    Doesnt it make you wonder how many things are ac-tually
    genetic and how many are just powerful suggestions that have
    been passed down through the generations.

  5. When the requirements of the property, and Master Key can give you a bigger picture as well as state laws, protect tenants from discriminatory selection. This works much like insurance except it covers the main components and systems of the property. An established management company provides regular reports on the conditions of the property and will cause a whole load of other problems too.

  6. Admiring the commitment you put into your blog and in depth information you present. It’s nice to come across a blog every once in a while that isn’t the same old rehashed material. Great read! I’ve bookmarked your site and I’m adding your RSS feeds to my Google account.

  7. The roll forming process is a continuous one where the metal roll is fed into the Roll Forming Machine & undergoes several changes at each stage of the operation, until the final product emerges. If you are close to or past 20 weeks you may also see if you have yourself a new baby boy or baby girl. Then, a strapper straps the small bundles and stacks them together in larger bundles.

  8. First, adding damage to targets your lead tank is fighting. 1997, the European Commission launched the Green Paper, industrial integration is the “industry alliances and mergers, technological network platform and the coincidence of the market from three perspectives”, and the integration of the media industry as the promotion of employment under the new conditions and growth of a powerful engine, which will undoubtedly be extended to the entire media industry, information market integration, as well as catalysts in the future after the world – an integrated economy. With firm pressure of your palms or the knuckles of your fists, knead the dough while turning it into itself several times.

  9. Hi, i think that i noticed you visited my web site thus i came to return the want?.I am attempting to in finding things to enhance my website!I guess its good enough to use a few of your concepts!!

  10. Step 4 – Stuff the casing with fiberfill until it is approximately 2-inches thick. BL Batman goes right to work puking out black power rings left and right for victims like Superman, Wonder Woman, Green Arrow, and Kid Flash. This will help their baby skin to not be in constant contact with saliva.

  11. It is perfect time to make some plans for the longer term and it is time to be happy. I have read this put up and if I may just I desire to recommend you some fascinating issues or suggestions. Perhaps you can write next articles referring to this article. I desire to learn even more things about it!

  12. With havin so much content do you ever run into any problems of plagorism or copyright violation? My site has a lot of completely unique content I’ve either authored myself or outsourced but it appears a lot of it is popping it up all over the internet without my authorization. Do you know any techniques to help reduce content from being stolen? I’d genuinely appreciate it.

  13. Title of article on commencement address at the University of Pennsylvania by Hubert H. Fallout New Vegas it looks o have a great deal of trouble related to the audio system. A tablet punching machine is also known as a tablet press, tablet making machine, pill press machine or tablet compression machine is used to transmute powder into tablets of continuous size and mass.

  14. May I simply say what a relief to discover somebody that genuinely understands what they are discussing over the internet. You definitely realize how to bring an issue to light and make it important. A lot more people have to read this and understand this side of your story. I was surprised that you are not more popular given that you surely have the gift.

  15. Definitely believe that which you said. Your favorite reason seemed to be on the web the simplest thing to be aware of. I say to you, I definitely get annoyed while people consider worries that they plainly do not know about. You managed to hit the nail upon the top and defined out the whole thing without having side-effects , people could take a signal. Will likely be back to get more. Thanks

  16. Attractive part of content. I just stumbled upon your website and in accession capital to assert that I acquire actually loved account your weblog posts. Any way I’ll be subscribing in your feeds and even I achievement you get right of entry to constantly quickly.

  17. I blog quite often and I really thank you for your information. This article has really peaked my interest. I will take a note of your blog and keep checking for new information about once per week. I subscribed to your Feed as well.

  18. Wow, incredible blog format! How lengthy have you been blogging for? you made running a blog look easy. The total glance of your web site is wonderful, let alone the content!

  19. This is a high intensity workout, therefore average to above average physical fitness is strongly recommended.
    You hate being overweight, but what other choice do you have.

    Place your top hand on the floor in front of your
    abdominals and contract your abdominals throughout the
    move.

  20. Which had been a fantastic content, it influenced myself to undertake awesome stuff having living and compelled nice regarding the piers inside operate we perform. Do you feel it turned out what about a small amount artificial?

  21. The subsequent time I learn a weblog, I hope that it doesnt disappoint me as a lot as this one. I imply, I do know it was my option to learn, however I truly thought youd have one thing fascinating to say. All I hear is a bunch of whining about one thing that you could repair if you werent too busy in search of attention.

  22. I had deleted swift theme which uses timthumb but when i checked my wp content folder, I found timthumb files inside the upload folder.

    It seems if you have used a vulnerable theme before, the timthumb files are left behind even after deleting the themes.

  23. Everyone has such great suggestions.

    @ David Dede – Just tried your scanner, great tool. $90 for a year is pretty reasonable considering how much downtime would cost a company dependent on their website for business.

    @Vid – great trick!!!! I would have been just running a search.

  24. its all messed up, my site went down completely now cant even access it, hackers enjoy this , as its for fun they prove they are better than wordpress guys, this is pathetic, the wordpress guys better workout something fast, before all the sites go down and google blacklists it.damn

    • Joe,
      Not all hosts use mod_security, but other things host can do are..

      1. block outgoing requests from the firewall (we did this)
      2. block remote fopens

      There are many ways to skin this cat, as long as it gets skinned is the goal :).

  25. If you don’t (or are not allowed to) use Perl on your server, in FileZilla there is a function to do a ‘remote search’ (under the binoculars on the menubar). Do a search for ‘tim’ (just to be sure) and see what it comes up with. It is not very fast, but you can run it in the background, as it displays a list with results.

    In general, here are some tips to secure your blog: http://www.hongkiat.com/blog/hardening-wordpress-security/
    And, for complete backups: http://www.blogvault.net (I can not tell if they scan/detect, so you need to check before your restore your site).

    Thanks for the instructions! I have shared it on G+.

  26. A further suggestion on hardening your site: in addition to making all files and directories outside of wp-content non-writeable by the server, wouldn’t it be a good idea to additionally write-protect all the PHP files *inside* wp-content as well? Let’s say you have the owner of the files as www-data and the group as your user, for convenience; then executing
    sudo chmod u-w wp-content/*.php
    and
    sudo chmod u-w wp-content/*/*.php
    and
    sudo chmod u-w wp-content/*/*/*.php
    and so on (however many layers deep as are needed, and of course executed from the WP root) could prevent the malware from getting a toehold. That is, even if they somehow inject a page with malicious code amongst your nicely cleaned PHP files, it won’t be able to do anything to modify your files, and that should stop the infection until a routine scan can weed out the intruder.

    P.S. I just gotta say, I am SO glad I usually develop with Python in Django and Pinax……….

  27. sry for the dbl comment but I just saw Vid’s suggestion and was wondering if that changes all instances of thmthumb everwhere it is including in the txt of files like functions or just swaps the file to the new safe one? Do we still need to go in and change all the fixed_timthumb.php back to just timthumb for it to work properly?

  28. This message was exactly what alerted me to the problem last Friday. Google must have has been doing it since at least then. Thanks to your posts, I updated my timthumb scripts and scrubbed all the suspicious base64 calls out. I never found an entire suspicious file though, so, I should go back and check. hopefully nothing has “respawned” because I didn’t clean it completely last time.

    Thanks for the info!

  29. My site was hacked through timthumb and it looks like it was all automated..

    I had these files in the compromised theme folder:
    wp.php – the phpshell
    sm3.php
    r1.php
    d.php

    and a changed .htaccess file that pushed all inbound traffic from a list of search engines to a russian site on hitting my site.

    Seems that the mail server was also being used to send out spam and then loads of the emails have bounced back and I can see the content of them – it seems that they are all linking to an sm3.php on other compromised blogs in each email, like a massive automated spam making worm.

    I have hundreds of bounce backs – each with different domains. Many with wp.php still installed on them. These are all sending emails too.

    I’m also getting loads of inbound http requests looking for sm3.php in my theme folder, which is not there anymore so it’s returning a 404 but I’m getting like at least 1 request a minute and this all counts to my bandwidth.

    I guess the only way it will stop is if everyone realises they have been hacked and they tidy up their sites.

    What a massive problem!

    p.s. sorry for the big comment but thought it might help some people.

    Cheers for all the info on your blog too.

    • Thanks David. I ran your scanner on my site and a known infected site as comparison. It shows the site is listed as malware with Google but not that it’s currently running infected code. The attack periodically updates the site with a new payload. For some reason the attackers seem to remove the spam links and reinject them a few hours later, periodically. So the tool seems great, but just want folks to keep in mind that a local filesystem scan is the only sure way to tell if you currently have malicious code running on your site.

  30. Mark and others reading this.. if you host a couple of thousand wordpress sites like us, here’s a quick brute force way of at least making sure you don’t have the vulnerable timthumb on your sites.

    1. Copy the latest timthumb from google code on to your server and called it fixed_timthumb.php
    2. cd /
    3. find . -name timthumb.php | xargs -i cp /your/brand/new/fixed_timthumb.php {}

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.