WordPress hacking in 3/2012

Numerous WordPress sites have been hacked this month. Sites that I have setup for Clients started getting hacked approx. on 3/13/12.

The malicious code (shown at the end of this post) is what results.

Research on the ‘net has pointed to a ‘timthumb’ vulnerability in themes that are used within WP. I’ve made searches looking for the timthumb code and have come up empty.

I do not believe that this, in all cases, is a TimThumb exploit. Every Client I have that is running Word Press got hacked in the last few days. My website was hacked, and I keep WP and the plugins and themes updated. Similarly, I use .htaccess and php.ini directives, as well as mods to WordPress itself to help secure matters. None of my themes had the TimThumb code present. The TimThumb scanner plugin did not locate it elsewhere on the site.

In fact, the only tool that indicated that something had happened was the Website Defender WP plugin, but only by dint that it told me that a lot of files had been modified.

It does seem like it is a WordPress ‘related’ exploit (but not specifically the Blog when installed all by itself). The vulnerability present has not come to light through my direct searching or searching for answers on the ‘net.

Only webhosts / websites that had WordPress on or associated with them were hacked. It didn’t matter whether WP was updated completely, or their plugins were, or their themese were, or even if the various webhosts had differring security directives setup via PHP.INI and .htaccess.

I’m at a loss as to what to do beyond the ‘scorched earth’ approach, which is definitely not practical under many situations.

At any rate, here is the malicious code, without its opening and closing PHP tags-

[ Code remove, please do not post malicious code here use pastebin.com instead if you must ]

Any help anyone can give in how to fix the exploit, or otherwise neutralize it would be greatly appreciated.

Thank you all for your time.