Thousands of WordPress sites infected with malware PROTECT YOURSELF!

In the last hours thousands of sites created with WordPress have been infected with a malware called visitorTracker_isMob also known as VisitorTracker which uses infected websites as zombie servers to redirect traffic to a page with an exploit that attempts to infect visitors' browsers, there is nothing.

Although the malware is not new, it has been in the last two days when it has shown itself to be really active, as reported by Securi's blog . If you look at the following graph you will see that the increase of infected WordPress sites has been tremendous.

 Sucuri-VisitorTracker-Malware-Campaign-II "width =" 838 "height = "477" srcset = " 840w, content / uploads / 2015/09 / Sucuri-VisitorTracker-Malware-Campaign-II-550x313.png 550w, .png 994w "sizes =" (max-width: 838px) 100vw, 838px "/> </a></p>
<h2><span id= What malware does

What malware does is inject code like this:

function visitorTracker_isMob () {
var ua = window.navigator.userAgent.toLowerCase ();
if (/ (android | bb d + | meego). + Mobile | avantgo | bada | / | blackberry | blazer | compal | elaine | fennec | hiptop | iemobile | ip (hone | od) | iris | kindle | lge | maemo | mi .. | v400 | v750 | veri | vi (rg | te) | vk (40 | 5 [0-3] | -v) | vm40 | voda | vul c .. | vx (52 | 53 | 60 | 61 | 70 | 80 | 81 | 83 | 85 | 98) | w3c ( – | ) | webc | whit | wi (g | nc | nw) | wmlb | wonu | x700 | yas – | your | zeto | zte – / i.test (ua.substr (0,4))) {
return true;
return false;
} / * .. visitorTracker .. * / / *

This code interacts with a second backdoor on the site that forces the browser to load a malicious frame from the pages where a Nuclear Exploit Kit is installed.

The effect is, as you can see in the following screenshot of the Coverity security company server, which was hacked, it is an iframe that loads and makes the browser direct to the page of the exploit kit, in this case in (changes regularly).

 nuclear-ek-coverity "width =" 655 "height =" 282 "srcset = " 655w, coverity-550x237.png 550w "sizes =" (max-width: 655px) 100vw, 655px "/> </a></p>
<h2><span id= How to identify malware

that the behavior can vary, in many places have appeared files called sample.php practically in all the directories of the installation.

Anyway the safest thing is to always have active a plugin of permanent scanning of changes, such as Wordfence or check your web in online scanners like this .

How do I get rid of malware

As with any other malware infection you have to perform a cleanup total of your site, to go through:

  1. Update WordPress to the latest version of the official site. Upload all files and folders except / wp-content / .
  2. Delete all plugins, also those for payment, and install new and safe versions.
  3. Delete all files that are not the installation of WordPress and you have not clearly identified its source.
  4. Check the folders and subfolders of uploads and delete any PHP file you find.
  5. Delete all the themes, active and not, also the of payment, and it loads a new and safe version of them, especially the active one.

How I protect myself against future injections of malware

We have seen it already many times but the rules are these:

  1. Keep WordPress updated always to the latest version.
  2. Keep the plugins and themes updated to the latest version.
  3. Use strong passwords. WordPress offers them to you, accept them and do not use the usual ones.
  4. Change the WordPress and FTP administrator passwords regularly.
  5. Do not use the default prefixes of the WordPress database.
  6. WordPress protects against brute-force attacks .
  7. Protects WordPress against SQL injections .
  8. Follows step by step the guide to avoid WordPress malware
  9. Install a good security and scanning plugin for WordPress .
  10. Subscribe to WordPress Help and check all security guides I publish .

NOTICE : This publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say that we have not warned you.

Loading …

That may also help you:

TimThumb abandoned

 abandonware "width =" 500 "height =" 500 "class =" aligncenter size-medium wp-image-76429 "srcset =" https : // 500w, 150w, https : // 800w "sizes =" (max-width: 500px) 100vw, 500px "/> </a></p>
<p> The famous <strong> clipping script images TimThumb </strong>massively used by themes and plugins, has been <strong> abandoned by its developer </strong>moving to the now famous list of <a href= abandonware .

Not lacking in guilt by different exploits that this script has suffered great on the other hand, the author has decided to abandon its development and support, and recommends developers of plugins and themes that stop using it .

] If you use algu n topic or plugin that uses it " encourages " to its developer that use some alternative method because if already until now TimThumb was vulnerable not to mention once abandoned the development and updates of it.

The best alternative to TimThumb is, of course, the native support of WordPress featured images which are gradually adopting mostly theme developers, as well as other alternative solutions to TimThumb .

A very interesting one is the following code which does the same thing as TimThumb with images from your server (does not work with external images or hotlinked ) but without its vulnerabilities:

; Other possible alternatives are the Photon module from JetPack, which also dynamically resizes images or the plugin BFI Thumb .

What is clear is that you have to leave to use TimThumb now, yes or yes.

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

The 3 most common ways to hack WordPress and how to avoid it • WordPress Help

WordPress is already the most popular and popular CMS and that power entails a responsibility, that of being also the CMS more attacked by hackers who want to take control of this or that web … made with WordPress.

And do not believe that if your WordPress is not a popular website it will not suffer attacks, because many of the " exploits "that are created are to do zombie webs and for that they are worth anyone.

Of all the ways that there is to hack a web, the 3 that are given in WordPress , the main entry routes for attacks are the following:

1. Topics and plugins without updating

Installing and updating themes and plugins in WordPress is very easy, and with the integrated new announcement system, except special situations there is no reason not to update them when there are new ones

In addition, most updates are usually for security reasons that could endanger your website, except when there is a major version change in WordPress, which then requires changing certain codes in some plugins and themes. The rest of the occasions, especially in the subjects, is practically obligatory to update them .

Many times we talk about the convenience – or not – of the plugins and payment themes and one of its advantages should be the incentive for the developer to be aware of new attacks or "exploits" and update their product to solve them, something that with free themes and plugins is not always the case.


Easy right?

2. Weak access data

You can now choose the administrator username when installing WordPress, and change it just after the installation, but there are still many WordPress with the default username admin and with that any intruder already has half the information to access your WordPress as administrator.

If you add to that a simple, easy-to-guess password or use in other online services are not always safe, you are more than exposed to possible unwanted access . It is something that you must solve as soon as possible.


3. Injections in the database

This is perhaps the most used method lately to hack any CMS WordPress included, and the bad thing is that it is not always up to you that the databases are secure, but at least we have to do our job to ensure them as much as possible.

The worst thing is that if a hacker enters your database you are completely lost, you can do anything, there are no limits . In addition, then cleaning an infected database is an absolute horror, the worst thing that can happen to you.


And so far the 3 most common ways in which there are usually WordPress hacks . Let's see if we have generic help …

Google security notices

It's horrible when we visit a web and Google warns us that it is insecure and can infect our system, but for the webmaster it is at least a warning It is essential that you have an account at Google Webmaster Tools to manage your websites there and be able to have security notifications and even instructions on how to solve intrusions. In addition, Google already warns you even when you have to update WordPress .

Then, in the same panel you can tell Google that your site is clean and remove, after checking, the annoying notice. 19659031] How to avoid security problems in WordPress?

All this, as you can see, is very good, but how do I avoid this kind of intrusions, hacks and code injections ?, being exhaustive in the basics, that I will not get tired of repeat:

Safe WordPress services

Now, if you do not want to worry about the security of your WordPress, you can always use services that take away problems:

  1. Use a WordPress managed as, just write and forget everything
  2. Backup everything, you have many plugins that automate daily backups, in case of disaster
  3. Hire a WordPress specialized hosting that automatically backs up your site
  4. Installs a plugin to make automatic backup copies of your site and the database.

Finally, and although this type of articles sometimes scare a little, WordPress is the safest CMS [19] 459004]

NOTICE : This publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

WordPress with Timthumb hacked make black hat SEO in Google Images • WordPress Help

According to the blog of Unmask Parasites over 4,000 hacked WordPress sites would be flooding images used to position fake antivirus sites.

What these undesirables do Black Hat SEO using the exploit in Timthumb of which I warned, is the following …

the following URL pattern: hxxp: ///? [a-f] {3} =, where [a-f] {3} is a combination of three letters from "a" to "f" and they are combinations of keywords separated by scripts that contain or images of normal words or images, for example:

hxxp: // fef = images-of-mitzi-mueller-wrestling
hxxp: // ? cda = image-tropical-fruits-index

For this purpose they use backdoor pages that they enter in normal templates of WordPress sites, where [19] 459011] the original content is replaced with about twenty thumbnails and small blocks of text relative to the keywords to be positioned .

The images are not linked from external sites but link to "full size" images with URLs how are you:

for example:

At the top of the images shows an entry – the domain name of the hacked site. In this way the undesirable ones make it seem that the images belong to the site they have hacked, as if it were their own content, not images inserted or stolen. At the same time, in this way, it is easier to identify the poisoned image in the search results.

The image files contain the following string inside: <CREATOR: gd- jpeg v1.0 (using IJG JPEG v62), quality = 100 . This means that they were created using the GD graphics library

It seems that hackers use a PHP script to take well-positioned images (in Google Images search results), resize them to the size of miniature (a width of between 200 and 300 pixels) and full size (some at random size, in some cases even to sizes greater than the original, to position them better as they are larger in pixels) and finally add the seal of the domain name hacked


At the bottom of the HTML code of the backdoor pages you can see comments like these:

The temporary brand and the keywords . This way you can easily see when the back door was created.


The backdoor pages have good positions in some keywords in both Google web search and Image search (especially when you search for the exact phrase ). However, malicious redirects occur only when you click on the search result in Google Images which proves that the ultimate goal is to flood Google Images of these images, that is, a pure campaign and hard of black-hat SEO .

The redirection has two stages . In the first one the redirection goes to an intermediate server (TDS) that then redirects to some web pages that launch a fake antivirus tool (there are two different variations).

This is a real redirect string: