The G Data SecurityLabs discovered code injections into Wordpress pages, which are potentially dangerous. Attackers managed to inject code and convert the websites into “zombie” websites, which can be controlled from afar.
The injected code in the present cases is <SCRIPT id="googleblogcontainer"> and it is inserted towards the end of the webpage’s source code. We’ve seen it inserted multiple times into one webpage, having 100 or more code lines in between each injection.
Please note: The missing “L” in googlebogcounter is, most probably, a typo, made by the attackers.
The attackers can adjust the counter.php file to their needs and can include commands to download and install malware or redirect visitors to malicious websites or anything else.
Regarding the given WHOIS information, the server hosting counter.php is/was located in Russia and the exact same IP has been involved in the so-called TimThumb attack, earlier this year. TimThumb is a plug-in for the content management system Wordpress and suffered from a zero day vulnerability which has subsequently been exploited.
The G Data security solutions detect the mentioned script as JS:Downloader-AZF [Trj].
What Wordpress users can do now
By now, we cannot verify whether the infections result from a vulnerability in any of the Wordpress plug-ins installed in the case seen, the Wordpress CMS itself or a password hack (e.g. an automatic attack). But we can definitely advise you to do the following in case you are using a Wordpress page: