Timthumb Exploit causing plethora of sites to redirect to Russia

Oct 13th, 2011 | By | Category: Internet

UPDATE: Site hacked again, teaches me for not removing the backdoors.  Details on how to find those below

Well what a delight that I checked on one of my old unused sites to find malware warnings and it redirecting me to http://placecollocation.ru/ .  This of course made me look a little closer as it’s folly to assume a breach is contained to one little area and sure enough I found wordpress and drupal sites alike redirecting.  So being the good server admin I cleaned it out only to wake up the next morning with one of my users telling me that the server was hacked and then pointing me to this very page saying ‘here’s how to fix it :)’, obviously he doesn’t know this is my blog but I had to lasugh

So after a few hours of scripting I’ve cleaned it all out again but I wanted to post up a little help for those going through the same thing.

First off a big thanks goes out to Hack Sparrow for this post: http://www.hacksparrow.com/wordpress-hacked-getting-forwarded-to-distributioncorporate-ru-solution.html  as that pointed me in the right direction immediately.  Although if I could be a little critical of our hacking/flying/chirping friend I would say you shuold have looked more closely at those backdoors.. Obviously they could go by many names so you need to be able to find them if their location or name changes.

So first step: Make a list of all infected .htaccess file

  • Go find one that know is infected, it will contain a whole lot of ^M or linebreaks in it and then show you some nice little code that redirects your users to some russian site.  The 3 I’ve heard of are placecollocation.ru , flyghtairline.ru or distributioncorporate.ru.  Copy that url
  • Go to your home root directory, or /usr/www  or whatever your webroot dir is and run: find . -name .htaccess -exec grep -H {RUSSIANDOMAIN GOES HERE} > infected.txt
  • Clean out all the undeeded data in that file so it’s just a list of files:
    • In linux: sed -i ‘s/:.*//g’ infected.txt
    • In BSD: sed -i ” -e ‘s/:.*//g’ infected.txt
  • Clean out duplicate listings: uniq infected.txt > infected.new && mv infected.new infected.txt

Second Step: Clean the infected files

  • Lucky for us this guy announces himself by putting a shitload of linebreaks which awk can easily recognize.. What we want to do is tell awk to look for two of these line after line and delete everything below their occurence, output that to a new htaccess and then copy that over the infected one.  *It wouldn’t hurt to back up your .htaccess files*
  • Run: awk ‘p $0 == “\r\r”{exit} $0 != “\r”{print $0}{p=$0}’ .htaccess > htaccess && mv htaccess .htaccess for each of the .htaccess files in your infected or alternatively just write a script that reads that file line by line, going through and performing the above command

Step 3: Finding the Backdoors

  • As a good sneaky fucking russian this guy leaves backdoors so that he can re-infect you hours after cleaning this out in the form of the following files: _wp_cache.php sm3.php or wp.php.  If you look at these files you'll see they start with something like this:
      • <?php # Web Shell by oRb
        $auth_pass = "";
        $color = "#df5";
        $default_action = 'FilesMan';
        $default_use_ajax = true;
        $default_charset = 'Windows-1251'
  • So the prudent thing to do would be to scan all .php files(or all files in general if yuo were really wanting to be careful) and search for smoething unique about this file, ie: Windows-1251 or Web Shell by oRb like so:  find . -name “*.php” -exec grep -H ‘Web Shell by oRb’ ;\ -exec rm {} \;

Final Step: Upgrade all outdated timthumb files

  • This whole mess was caused by an exploit in timthumbs, which goes by thumbs.php or timthumbs.php.  It’s very important to realize though that there could likely be other, non timthumbs files on yuor server called thumbs.php as it’s a pretty ambigious filename.  So you need to find all of your timthumb files and replace them with updated ones
  • So let’s grab the updated timthumb: wget http://timthumb.googlecode.com/svn/trunk/timthumb.php
  • find . -name “*thumb*.php”  -exec grep -H timthumb {} \; -exec cp timthumb.php {}

 

And that’s that!  You should be all good to go..
PS – One last thing I did was to chown root all of my .htaccess files and leave them chmodded to 444.  Make sure this doesn’t screw anything up on your end but hopefully it should prevent them from being overwritten in the future

Tags: , , , ,

8 Comments to “Timthumb Exploit causing plethora of sites to redirect to Russia”

  1. Sergio says:

    Thank you for this. It really helped me finding out what this JERK did. I found it in a file calledfunctions_extra.php within my theme folder. Just deleted it and upgraded my timthumb to 2.8.2 which seems to include a FIX for the domain validation in the allowed sites….

    I’m waiting because apparently this guy was hitting the backdoor every 45 minutes / hour…

    I changed mt FTP password do you think I need to go in and change my DB password.

    Oh and apparently it affects every site on the server because I have four sites in Rackspace Cloudsites and they all got hi. their htaccess were all messed with, but only one site appeared to have the backdoor.

    I had to do it all manually because Rackspace doesn’t give me shell access..

  2. admin says:

    hey there, you’re user logins aren’t going to be affected by what I’ve seen, all file changes were done under the www user account.

    As far as it affecting all domains on the server I don’t think that’s the case as I had 3 wordpress and 1 drupal site affected and then about 60 other wordpress blogs that weren’t affected.. i’m pretty sure there’s a script that goes through and just edits all the .htaccess files it can find and access. So if your .htaccess files are owned by root and have perms of 444 then it wouldn’t be able to touch it.. Similarly if your domains are spread across many user accounts which have their own directories in /home/ or /usr/www or whatever and those directories are not accessible by user www I think you’d also be safe.

    Once those backdoor files are deleted and timthumbs is upgraded then you should be fine, it’s just making sure that you find the backdoor files, which like I posted might involve grepping everytihng for that line of code. Thanks for the comment, I’ll make sure to add that filename to the list of files to look out for

    On a side note this should be a pretty clear sign to you and anyone who has any inclination of being a compotent webmin to stay CLEAR of all hosts like Rackspace that don’t give you shell access. All of your fixing, with the proper shell access and knowledge could have been done in minutes.. shit, if I had to do all that without ssh access it would have taken me hours if not days as I would have had to manually go through 100’s of domains o make sure.. fuck that!

  3. Ramanathan says:

    How to fix this issue, my .htaccess all domains in the server are getting hacked, i hosted in hostmonster.com

    whenever i remove redirection script from .htacess in just 30 mins its get affected.

    I am breaking my head for more than 24 hrs.

    Thanks
    Ramanathan

  4. Ramanathan says:

    And am let me know how to find grep files and backdoor files from hostmonster cpanel.

  5. admin says:

    Well the first thing yuo cuold do would be to change the permissions on your .htaccess files so that no one besides the owner can write it(make sure that the http daemon isn’t the owner)
    also you could just take the script that fixes this and have it run every 31 minutes 🙂

  6. Steve S says:

    My WP sites were hacked with a redirect that creates a .log folder and (within the folder) a file called log1.txt. The file is simply a listing of several Russian sites; it does not contain the redirection script itself. I have been unable to find where that script is.

    I have tried all of the following:

    1. Deleted all theme files except the one I am using. Someone on another site said this cured his WP site of thie particular site.

    2. Tried deleting the .log folder and the log1.txt file.

    3. Tried keeping the .log folder and file, but deleted all the information from the file and removed all “write” and “execute” permissions from it.

    No matter what I do, the .log folder and the text file get re-created and/or rewritten within a matter of minutes. I cannot figure out where the instructions for doing this are coming from. I’ve examined all my WP files one by one (took most of a day) and I cannot see any obvious scripts. I am not too technical, though, so I could have missed something if it was entirely in code rather than English.

    Any ideas?

    Thanks,
    Steve

  7. admin says:

    ok, so can you see the redirection happening? Like if you go to your site do you get redirected? If so, try moving all of your plugins out of the plugins directory and into say plug_bak

    Are you still being redirected?

    if so , move all the plugins back and do the same thing with your themes.. well except copy in the default theme anew and use that. Still being redirected?

    If so then download wordpress.org/latest.tar.gz and unarchive those files overtop of your existing ones.. Still being redirected?

    If so then do a brand new wordpress install somewhere else and just do an ls -l on both installs until you find the same files which result in different file sizes and figure out where that’s coming from.

    Lastly, have you checked your .htaccess file?

  8. admin says:

    Brilliant, thanks for the how-to guide to future readers

Leave a Comment