The mysterious /tmp/.tmp folder

If LFD reports a /tmp/.tmp folder on your server you have been hit with the latest timthumb.php hack, which is circulating among wordpress sites which dodged the first mass infection last August for unknown reasons. The /tmp/.tmp folder contains a list of firefox visitor IP’s who have visited your site and were exposed to malicious javascript triggering flash and reader vulnerabilities in an attempt to install a fakeAV scanner (which easily succeeds for users without a good antivirus to catch it). It uses both cookies and the IP list to prevent the code from appearing more than once per visitor, and only appears for firefox users, making the injected code very difficult to track down. Another file contains a cached copy of obfuscated javascript code which is presented to the victims and re-downloads/changes often. A random php include file in wp-includes in wordpress is injected with code that makes all of this work. The infected wordpress file modification date remains unchanged, making it very difficult to find unless you know exactly what to look for.

First, you need to make sure all timthumbs are up to date — if you’re not using Cpanel modify the following script appropriately, otherwise run it as is:

http://djlab.com/2012/01/auto-find-update-timthumb-php-instances-on-cpanel/

Find the infected php file which you need to clean up:

cd /home/username/public_html
grep "<\?php.{2,15} = array" * -REl --include=*.php

Then, look for any other back doors which may be laying around and either clean or remove the files. Open each file and review manually before cleaning/deleting, as there may be false positives:

http://djlab.com/2010/09/finding-php-shell-scripts-and-php-exploits/

Finally remove the /tmp/.tmp folder and update wordpress and every theme and plugin. Remove any unused plugins or themes because these can still be hacked into.

3 Responses to The mysterious /tmp/.tmp folder

  1. Staff says:

    Thanks for this wonderful article..by the way, I get the following error while executing one of the grep commnads

    nibin@nibin-laptop:~$ grep “((eval.*(base64_decode|gzinflate))|document\.write\(“\\u00|r57|<\?php.{2,15} = array|c99|sh(3(ll|11)))" . -roE –include=*.php*
    bash: syntax error near unexpected token `3'

    Also, please would you explain what does grep "<\?php.{2,15} = array" part do?

    1. Randy says:

      Seems that wordpress is stripping a slash before the double quote towards the middle of the regex. The {2,15} part is looking for any php file that begins with

      "< ?php $variable = array"

      as the infected files started with a random variable name set as an array to mask itself.

    2. Randy says:

      Script format fixed by the way.