Well, I - like many other it seems - got hacked via the TimThumb exploit.
I found 2 scripts (eventually) in my themes includes/temp dir.
This was happening every few seconds. As you can see they are now getting 404's.
Turns out that IP was in a list here: Block Timthumb Vulnerability Scan Bots From Hacking Your Site
Also happened to find a C99Shell backdoor script. All happening today.
TimThumb updates can be found here: http://timthumb.googlecode.com/svn/trunk/timthumb.php
I found 2 scripts (eventually) in my themes includes/temp dir.
Code:
83.103.119.239 - - [21/Feb/2012:20:49:22 +1000] "GET /wp-content/themes/widescreen/includes/temp/thumb.php?url=http://www.ookra.com/wp-content/themes/ HTTP/1.1" 404 13790 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.10" 236 14275 83.103.119.239 - - [21/Feb/2012:20:49:33 +1000] "GET /wp-content/themes/widescreen/includes/temp/thumb.php?url=http://www.finmanagementsource.com/wp-content/themes/ HTTP/1.1" 404 13804 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.10" 250 14289 83.103.119.239 - - [21/Feb/2012:20:49:42 +1000] "GET /wp-content/themes/widescreen/includes/temp/thumb.php?url=http://xn--22c0b2cxbd6f0c.gang-soi-9.com/wp-content/themes/ HTTP/1.1" 404 13810 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.10" 256 14295
Turns out that IP was in a list here: Block Timthumb Vulnerability Scan Bots From Hacking Your Site
Also happened to find a C99Shell backdoor script. All happening today.
TimThumb updates can be found here: http://timthumb.googlecode.com/svn/trunk/timthumb.php
Comment