I Was Hacked! (counter-wordpress.com and TimThumb PHP)

In August 2011 there was a mass infection of websites that use WordPress software. It was not a vulnerability of WordPress, but had to do with certain themes and plugins that used the vulnerable timthumb.php script. What the malware does is insert backdoors on the website, then it compromises the site and inserts malware that creates a hidden remote call to counter-wordpress.com that tries to infect everyone visiting the site, it also modifies the .htaccess and redirects search engine traffic to some Russian sites. Google started to blacklist infected sites and stated about 2k sites were blocked. According to Sucuri they identified 16,010 sites just between August 22-24 that were infected. Sucuri has a great write up about the issue.  They also have great instructions for how to clear the infection.


google blacklisted websites

So I went to my website on August 23rd and the above picture is what I was greeted with.  I was like WTF???  Luckily I clicked the link and Google had a name for the malware.  You have got to love their webmaster tools.  According to the webmaster tools counter-wordpress.com  was the problem so I just googled it and found the Sucuri site that explained the malware issue.

On my server I created a new directory and moved all of my blog files over.  Just to be sure to be done with the issue.  Sucuri had great information on how to go through the files and take out the bad code but with the toddler running around I had to find a quicker way to fix my site.  I had decided that I would export my blog and then just do a clean re-install of wordpress.  It was time for a redesign anyways.

I exported the xml file of my posts and downloaded the wordpress files.  I also deleted all of the old files that I had moved into a new directory.  Big Mistake.  I uploaded all of the wordpress files by FTP and set up wordpress.  I imported my blog posts.  I was rocking and rolling but then I realized that some of the photos were missing from the posts.  I had neglected to realize that when you upload photos in the process of writing a post this does not get exported in the xml file.  Unless you have made changes, it is wordpress default to upload photos to the uploads folder in the wp-content directory.  I could have kicked myself for deleting my old files before I got the new re-install up and running.  I needed that uploads folder.

Luckily I had an older version of this folder.  It was from 5 months ago that I did the back up so I’d still be missing some photos but it is better to have some then none at all.  I hope to restore the missing photos over the coming next 6 months but I find that unlikely with the toddler running around and recording new music.  Some of those posts may just have to be missing their visuals.  At least I’ve got the website up and running.


This entry was posted in Malware, PHP, WTF. Bookmark the permalink.

Leave a Reply