ATTENTION: IGIT Related Posts With Thumb Image After Posts phpRemoteView Attack
ATTENTION: IGIT Related Posts With Thumb Image After Posts version 3.9.7 with WordPress 3.2.1 is vulnerable to phpRemoteView Attack. 2 of client’s site were compromised recently. We checked it thoroughly and found IGIT plugin is the source of injection. Here’s the hack [malicious code]
[removed code] injected into index.php. Also in wp-admin, there were 2 suspicious files ‘common.php’ ‘udp.php’ there.
We have cleaned the index.php, deleted those suspicious files and removed the whole IGIT plugin and things come back to normal.
I am posting it here if it would be of any help of anyone in future.
debajyoti – Please email plugins[AT]wordpress.org with that information as well as what file in the plugin has the hack.
Thx Debajyoti !
I’ve followed your instructions & it works again !
Are u sure it’s from IGIT Related post plugin ?
Thx for your follow up & investigations 😉
would the plug in called TAC have caught this ? Just wondering
Did you save any of those files (or the malicious code)? If you did, can you email to me for analysis (my email = username).
I do not think it is just that plugin that is to blame. I believe it is the timthumb.php file that the plugin is using. Try changing yours with this one. http://timthumb.googlecode.com/svn/trunk/timthumb.php
I also just discovered another file aside from the ones that I have been reading about that the hack will put on your server. look under wp-content for something that looks like a cache file. If you open it you will find all the info relating to the superuperdomain.com
Y’all have to read my post here:
WordPress › Support » RSS Feed Crash http://bit.ly/ojQ4sC
Gave all the details on this bug in that topic.
I’ve been hit with this as well. I had already removed the plugin because it was not working very well, but it left those nasty little surprises. I’ve been banging my head against the system trying to find the source of the problem for about 36 hours.
I want to note that I could not have found this thread without this other thread: http://wordpress.org/support/topic/feedburner-rss-feed-link-broken … which was posted after my initial search and contained the code/url placed by the malware:
Hopefully having that in this thread will make it easier for others to find. I’m glad I came back and ran the search for the url again.
Thanks for posting the fix!
CHECK YOUR PHP.INI FILE AS WELL!!!! It enables remote debugging! Make sure to clear out your php.ini file.
Also make sure you change ALL your passwords. It has a MD5 Cracking Script that cracks your current passwords.
This script embeds an iframe within your site from another site “http://global-traff.com” and this could possibly hijack any other current sessions that your browser has open (such as to Facebook, Twitter, etc.)
Clear your cookies and change the passwords for everything you have and especially those things that were currently open at the time that this occurred.
ALSO NOTE: This may be a vulnerability within WordPress itself because we did not have the plugin mentioned above.
eclarian: What were the earmarks of what hit you that match what is being described in this thread related to the related posts plugin?
It’s a timthumb.php exploit. That plugin was using old timthumb.php. Also any other theme or plugin using old timthumb.php might also be vulnerable to this phpRemoteView attack. I have mailed the detail files to WordPress. They have intimated the plugin developer and for the time being, the plugin has been removed until plugin developer fixes the loopholes and further tighten security. So far I have investigated further, It’s not a vulnerability within WordPress core, it’s the timthumb.php file causing this problem. Ipstenu posted a good link in another thread
“For those following along, this seems to be the TimThumb issue: http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html You can run an instant free security check for your site there.
- The topic ‘ATTENTION: IGIT Related Posts With Thumb Image After Posts phpRemoteView Attack’ is closed to new replies.