302 -> hxxp // video.bywhy .com /? k = girdles + pictures & s = google & r = http% 3A% 2F% 2Fwww.google.com% 2Fimgres% 3Fimgurl% 3Dhttp% 3A% 2F% 2Fbcsmusic.me% 2F% 253Fbdd% 253Dgirdles-pictures-Vyhynx % 2FbFO_9rUEvfK72isOTIVpmnmzLxnzp51gHqzVXi5I5jE2lyrsssMFcfbwOFoXk3VR8TwxTQeexe% 2FonLd6RPIG_M6hkLQMh6ACctX4kzsuwbN5w_6YOYxZYj1AJQl1OBCXNjPYQoA% 253D% 253Dxy5.jpg% 26imgrefurl% 3A% 2F% 3Dhttp% 2Fbcsmusic.me% 2F% 253Fbdd% 253Dgirdles-pictures% 26usg% 3D__6ho2Rtl5S4GcwInf2xzUhPN4vkI% 3D% 26h% 3D439% 26w% 3D262% 26sz% 3D98% 26hl % 3Din% 26start% 3D19% 26zoom% 3D1% 26um% 3D1% 26itbs% 3D1% 26tbnid% 3DoHNHWFmQjxIwqM% 3A% 26tbnh% 3D127% 26tbnw% 3D76% 26prev% 3D% 2Fsearch% 253Fq% 253Dsite% 3Abcsmusic.me% 2526um% 253D1 % 2526hl% 253Den% 2526sa% 253DN% 2526channel% 253Dfs% 2526biw% 253D1222% 2526bih% 253D260% 2526tbm% 253Disch% 26ei% 3DnU80TtGDG4mE-wa5vPH9DA & d = http% 3A% 2F% 2Fbcsmusic.me% 2F% 3Fbdd% 3Dgirdles-pictures
302 -> hxxp : // update34.svernick .in / index. php? Q0rhQ9S3be5GTHpOM5RNjiUpBaa7CmPerSb + VBBE57iCXCC1iDs + XgOe4qXsg1ggs5uk7Ck1GcwyRZ2vqM7MPVofO5WM3eBmP5tRpBeBu / kPphowRYvnTq2 + 4BmHNg ==  As you can see, the TDS server receives information about keywords, font, and referrer.  the intermediate domain changes every day . Actually they belong to other hacked sites (mostly created with WordPress)
Here are a few intermediate TDS domains used in this attack:
The domain name of the fake antivirus website consists of a .in domain that changes every day, and a few subdomains "updateNN" or "scanNN", for example, "update82.yourscan.in" or "scan73.moomles.in.
Here are a few .in domains of the fake antivirus sites used in this attack:
] x-scan .in
Most .in sites point to the IP address
188.8.131.52 (United Kingdom, with information contact information of Lithuania.)
Fake antivirus sites launch executable .exe "scareware" with names like
InstallSecurityScanner_225.exe . These files are repackaged every day and their detection range (according to VirusTotal) is quite low. The typical detection range for files currently served is 8/43 (18.6%). This usually improves as long as the malicious file is not used and a new file with low detection range is served from the antivirus server.
As I have commented above, and to specify more, 4,358 have been detected compromised sites . Currently Google has detected less than 5% of them. If you use the Google Safe Browsing diagnostic page it says something like this:
Malicious software is hosted on 2 domain (s), including bastandro .in /, senerino .in /.
It seems that 3 domain ( s) are working as intermediaries to distribute malware to visitors to this site, including hireindians .net /, awalstudios .com /, bywhy .com /.
As I warned a few days ago, it is necessary ] update Timthumb if your subject uses it, there are no excuses, more seen the results seen, do not you think?
But not only Timthumb is to blame ]sites have also been detected in which hackers have created a .htaccess with rewrite rules superior to the root directory of the site. The rewrite rules map the backdoor URLs to some PHP script . There is nothing.
All the backdoor pages are cached somewhere on the server. Unlike other SEO poisoning attacks, these are not made live. If you specify some different keywords in the URL you will get a 404 error. Incidentally, these 404 error pages are different from the normal ones that the hacked site has.
Another proof that the spam content is cached and that not injected into the execution of active WordPress pages are the temporary marks in the background of the HTML code and the old entries in the "Recent entries" section. In some sites, instead of a real template of the site, they use a prefabricated Kubrick template with a final mark that does not change from site to site but is always the same (WordPress 2.3.1, 22 queries, 0.912 seconds). 19659101] What do I do?
There are several checks and / or actions that we can perform:
- So first review your file
.htaccess and eliminate any rewrite rule that you do not know what it does. When in doubt, delete it and save the permanent link structure again in the WordPress Settings so that a clean one is recreated.
- Update TimThumb to the secure version. I have already put the links to the ways to do it above, in the entry that I wrote the other day you have different ways of doing it
- Go to Google Webmaster Tools and check if your site has malicious software
- Install some exploit detector plugin and run it. There are several good ones "in the official repository", do a search for "exploit"
That is nothing
Thanks to Juan for the notice
If you want to see what will be the new default theme of WordPress known as WordPress 2010 you can follow its development in the blog that will show its changes and evolution: 2010 Theme Development .
Personally, I think it's a good idea, a bigger font, the HTML elements the drop-down menu, the width bigger than Kubrick and the CSS used for images and the gallery, but not the used font (serif) and, perhaps, the excessive height of the header.
One of the ideas that emerged in the talk among the feeds of the WordPress "core" code has been that in 2010 there will be a new theme by default in WordPress, leaving the already veteran ] Kubrick to move on to another one that will be called … 2010 theme (a lot has not yet been squeaked out.)
Personally I think it's okay to change it all at once, but I do not know what theme style I would like it by default, what about you?
One of the most interesting seminars in the past Campus Party and what happened to me here, is the one that taught Emilio García Piensa (de Piensaenpixel ), in which he explained step by step how to create a new WordPress theme from the base of the Kubrick theme (default) of a basic WordPress installation.
Do not miss it! long but very interesting …
[youtube] http://www.youtube.com/watch?v=4emCygKNrLc [/youtube]
Well, since we already have here WordPress 2.7 it's time to start preparing the wish list for WordPress 2.8 . And for that, the Automattic guys – as it is becoming customary – propose a survey in which we can participate in the development of the next version, scoring our priorities and wishes for WordPress 2.8 .
Among the options that are being considered, we have the following (in parenthesis, some of my opinions):