WordPress.org

Ready to get started?Download WordPress

Forums

[closed] [TimThumb Vulnerability] iframe hack (60 posts)

  1. Jorge
    Member
    Posted 2 years ago #

    Call your webhost

    That's a big 10-04

    I'll keep you all posted.

  2. Jorge
    Member
    Posted 2 years ago #

    Good news, it's gone.

    Strange though. After the fresh upload, I saw said iframe in the wp-admin area. I left the office to visit my designer and we checked it out on his Chrome browser, no iframe.

    I use PC, he uses Mac - I don't hold it against him.

    I returned to my office computer and cleared the cache on my Chrome browser and the iframe is gone. Since the beginning, the iframe would pop up in different areas within the theme and the wp-admin area, but after a good run through, it appears the site has been sanitized from the infection.

    I'm going to change the PW just for good measure.

  3. solagirl
    Member
    Posted 2 years ago #

    Hi, I'm also hacked by the counter wordpress. I scanned my site via http://sitecheck.sucuri.net/scanner/, here is what I have found:
    In my themes folder the header.php is added some code, but deleting the code helps nothing, because the iframe is actually added by javascript.

    Two files are modified.
    1. wp-includes/js/l10n.js
    2. wp-includes/js/jquery/jquery.js

    Replace the two files the problem is gone. And I have reset all my passwords. Not quite sure how all my wordpress websites were hacked.

  4. kharisma
    Member
    Posted 2 years ago #

    This thing is setting cookies.

    That's why you can still see it in your own browser, but not someone else's.

    ---
    I can't see any difference between the l10n.js that is there, and a good copy.

    I think that sucuri.net spotted it because of the f.innerHTML function.
    However, the l10n files are translation files, and they are supposed to be replacing text with the correct translation.

  5. If so, flushing your browser cookies will remove it. So add that to the list of how to clean this out :/

  6. solagirl
    Member
    Posted 2 years ago #

    my l10n.js is different with a good copy, some code is added to that file.
    maybe my problem is different, as when I disabled javascript, the code is gone even though I didn't edit anything.

  7. my l10n.js is different with a good copy, some code is added to that file.

    Then delete the file and upload a clean copy.

    Remember, guys, this time the hackers got wise and aren't hitting the same files on everyone.

    Make a good backup and then DELETE EVERYTHING in WP core files, themes and plugins. Heck, delete your wp-config.php and .htaccess - You can easily rebuild them. But if you're just removing one or two files AND you're not changing passwords, you are STILL open for a repeat attack.

  8. solagirl
    Member
    Posted 2 years ago #

    But if you're just removing one or two files AND you're not changing passwords, you are STILL open for a repeat attack

    I have changed all the passwords I can change, not sure if this will help to make my sites a little safer.

  9. Jorge
    Member
    Posted 2 years ago #

    not sure if this will help to make my sites a little safer

    So long as you do as Ipstenu says, you'll have a reasonably secure WP install. In my instance, it was a vulnerability because of TimThumb.php and even after everything was flushed, the cache in my browser was to blame. After a quick purge, it hasn't returned.

    This is after I deleted ALL WordPress files, used a new database, etc. In short, this was a virus and I had to reformat my Website. At the present, I'm rebuilding the site from the ground up because that's the length I'm willing to go to insure a reasonably secure Website.

    Changing your passwords is a simple, bare-bones method from being attacked using old information on the hackers' database which MIGHT have been harvested using those evil iframes.

    Best Wishes

  10. Andre Dublin
    Member
    Posted 2 years ago #

    I've had a recent iframe injection attack on my web server. So far I've created a backup of my wordpress theme files and database, removed and installed the wordpress cms platform, and I still had the iframe showing up on my site. Eventually I went through my config.php and many other php files that are frequently targeted. Deleted the config-sample.php (as usual) and eventually figured it is a javascript file. The only javascript that is on my website was a typekit script, so when I disabled that the iframe went away. I am still testing the site to see if the malicious code is still present. Does anyone know of typekit having some kind of xss vulnerabilities?

  11. Andre Dublin
    Member
    Posted 2 years ago #

    Interesting enough after scanning my web site without the malicious code with http://sitecheck.sucuri.net/scanner/ ( thanks solagirl thats a great web tool ) it passed. Then when I scanned another one of my infected web sites it failed the test. Note that typekit is also on the website that failed. So if this helps anyone in squashing this problem, typekit might have some type of xss problem.

  12. Andre Dublin
    Member
    Posted 2 years ago #

    Correction on my last couple posts, I have found it also to be the l10n.js file located at http://sitename.com/wp-includes/js/l10n.js?ver20101110

    Here is the malware report http://sucuri.net/malware/malware-entry-mwjs2368

    You can see it gets attached to the end of the js file

  13. magzparmenter
    Member
    Posted 2 years ago #

    Sucuri now says my site is clean, but I'm still getting the error message on Chrome.

    Any thoughts?

  14. shomazta
    Member
    Posted 2 years ago #

    if you use webhostingbuzz you're probably screwed like me

    none of those codes or files exist on any of my domains, however I see the counter-wordpress crap on the frontend of some of my sites... sucks that all the sites are getting blocked by chrome because of this -.- I don't even use tim-thumb

  15. shomazta
    Member
    Posted 2 years ago #

    Sucuri now says my site is clean, but I'm still getting the error message on Chrome.

    Any thoughts?

    clear your cache, or bug your host because technically my sites have always been clean according to sucuri, but the server has been compromised elsewhere and it's effecting all the sites -.-

  16. asdevargas
    Member
    Posted 2 years ago #

    Hello!
    I went through all the steps of changing passwords FTP and MySQL, uploading new version of WordPress, but and when I run http://example.com/wp-admin/install.php I get a message that says "You appear to have already installed WordPress. To reinstall please clear your old database tables first." Do I have to clear the actual DB, install, and then execute a copy of the DB? I don't want to loose all I have on my site!!
    Thanks for helping...

  17. You do not need to wipe your site.

    Make sure you set the WP-config up correctly. You need to have the database info the same, with the same prefix and everything.

  18. guib
    Member
    Posted 2 years ago #

    I had the same problem. Maybe it come from an old version of Timthumb :

    http://www.websitedefender.com/web-security/timthumb-vulnerability-wordpress-plugins-themes/

    I use The Dawn for my website. I change the timthumb.php to put the new version.
    I've also check the wp-config.php file and removed the code.

    It's working now (without uploading a fresh version of WordPress). Wahtever, I will upload a fresh version of WordPress, just to be sure.

  19. sidgoyal1
    Member
    Posted 2 years ago #

    Hello everyone. I got this malware on all my sites running on webhostingpad servers a few days back. Even fresh wordpress installations that I did using the cpanel software Softaculous had this malware. I suspect the malware is probably in the softaculous software of my hosting company.

    Anyway, I have successfully removed the malware following the below steps (which were mentioned by some previous users already) which did not require a completely fresh installations of wordpress.

    Step 1) Run a scan on http://sitecheck.sucuri.net/scanner/

    Step 2) It showed me an error in 2 javascript files in wp-includes

    Step 3) Take a backup of wp-includes and then delete the folder

    Step 4) Download wordpress from wordpress.org

    Step 5) Copy wp-includes from this fresh copy to the appropriate location in your server.

    In one of the installations, there was a malware detected in this plugin called front-slider. It was in the jquery file. I downloaded a fresh copy of front-slider and deleted the existing jquery file on the server and then copied the file from the fresh download.

    Step 6) Open a new browser and run the scan of your website again on http://sitecheck.sucuri.net/scanner/. Hopefully it should not detect any more malware.

    Step 7) Change your hosting/cpanel passwords, wp-admin passwords

    Step 8) In case you are using chrome, clear your browsing history and everything (or perhaps open an incognito window). Open your website and it should open just fine.

  20. cloudduster
    Member
    Posted 2 years ago #

    I got the same malware notice from chrome minutes ago. One month ago, I transferred to a different host and this is the first time the site got struck with malware.

    And yes, wp-config-.php has all those "extras" code in it. I deleted it and nothing changed.

    Luckily, I had made a backup (using xcloner) 2 weeks ago. I deleted all the files, and restore the entire site. As of now, it's working fine. I'm not sure why this happens, I kept all the plugins updated

  21. sidgoyal1
    Member
    Posted 2 years ago #

    It is ironic that my wordpress sites which I did not upgrade to the new version did not get this malware. Could it be that the new wordpress was susceptible ?

  22. cloudduster
    Member
    Posted 2 years ago #

    @sidgoyal1: I think it's the hosting company who's vulnerable. I have two sites with them, and both got the malware notice. Those hosted in another hosting were okay.

  23. sidgoyal1 - No, it has nothing to do with your WP version.

  24. paulhastings0
    Member
    Posted 2 years ago #

    Yup, we got the same hacks yesterday on 2 of our sites. Thanks for posting this info. We've done what's shown in this thread and so far so good.

    +1 for the WordPress community!

  25. wolfsteritory
    Member
    Posted 2 years ago #

    here is what i found, maybe somebody can do something about this, im just trying to help with this info

    http://flickr.com.m0.sk/fcuk.php

    that bogus site redirects to :

    http://www.hodinky.cz/

    maybe somebody can report to their host or something

    what i found is that you really need to remove all external site links from your timthumb file & put a false on allow external

    also block this hosting :

    nsset: NSSID:VSHOSTING
    nserver: ns1.vshosting.cz (78.24.8.150)
    nserver: ns2.vshosting.cz (89.235.0.2)

    93.185.101.245 !
    188.95.124.59 !

    & this is the hosting where e script came from
    ns.gransy.com A 77.78.104.149
    72.26.225.234
    85.25.73.97
    79.172.193.112
    74.220.215.87 !

  26. MickeyRoush
    Member
    Posted 2 years ago #

    That fcuk.php is a lengthy script. I've decoded it and put the results at PasteBin:

    http://pastebin.com/KJ6nhfCp

    It looks like some more encoded code around line 1602. I'll have to look at that later.

  27. Jorge
    Member
    Posted 2 years ago #

    I know the last post was over 3 days ago but just to inform, I went a head and used the old database after deleting the WordPress files and keeping the upload directory, etc.

    My site is clean of infection. Just do as Ipstenu said and you'll be fine. Try not to over complicate it, simply follow the instructions layed out and you'll be back to green meadows in no time.

    The only thing different that I did was deleted the old database user (and consequently removed the permissions) and created a new database user with a new password and added them to a NEW wp-config.php file...the last one had code injected within it. nasty stuff

  28. The only thing different that I did was deleted the old database user (and consequently removed the permissions) and created a new database user with a new password and added them to a NEW wp-config.php file...the last one had code injected within it. nasty stuff

    That's a great call :)

  29. andyd69
    Member
    Posted 2 years ago #

    Guys, just got a malware report from Securi - anyone seen this one? I assume I need to do the same as some of the above comments?

    Cheers, Andy

    [Code moderated as per the Forum Rules. Please use the pastebin]

  30. andyd69 - If you've been hacked, yes.

    At this point, we're at 3 pages and it's the same story, so here's the skinny.

    If you've been hacked by this, you need to, in addition to the normal cleanups, make sure you remove TimThumb's susceptible version from your server.

    Closing, as this will be impossible to help anyoen new.

Topic Closed

This topic has been closed to new replies.

About this Topic