WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector

On thirst August 2011, Mark Maunder had reveal, through a defacement experience, that “timthumb.php” script, included in hundreds of WordPress themes, was vulnerable to remote file inclusion (RFI) attack. TimThumb is small php script for cropping, zooming and resizing web images (jpg, png, gif). The default configuration of “timthumb.php” script, in many WordPress themes, allow … Continue reading WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector

gangbang.mytijn.org Malware Spreader Down

By analyzing the payloads and associated C&C used by the WordPress Timthumb botnets, I founded an interesting C&C server named “gangbang.mytijn.org“. And in collaboration with Luxembourg CIRCL, the domain gangbang.mytijn.org is down since the 14 December 2011. This C&C server was known for spreading tonnes of malwares on Internet. The initial infected WordPress sites were : … Continue reading gangbang.mytijn.org Malware Spreader Down

About.US Domain Names Registrar Owned

During some analysis on the WordPress TimThumb Botnet, I have discover that an .US domain registrar know as “About.US” is completely compromised… and this since minimum the 15 September. Some RFI (Remote File Inclusion) scripts, how are exploiting the WordPress TimThumb vulnerability, are calling, in a obfuscate mode, a hidden file “stun.jpg” on “About.US” Web … Continue reading About.US Domain Names Registrar Owned