In a previous blogpost I have demonstrate that the WordPress TimThumb RFI vulnerability is used as a botnet recruitment vector. Since this blogpost 1 month has occur, and two and half months since our HoneyNet is gathering events about this botnet.
Actually we have see 30 different domains, related to 37 different IP addresses used to infect vulnerable WordPress (see table).
These 30 different domains are for now related to 370 IP addresses how are surely infected WordPress. Here a representation on how is linked to how.
Also you can find by clicking on the following link a geo localization time map of all the related IP addresses.