/wp-content/themes/vilisya/timthumb.php?src=URL
/wp-content/themes/intelligible/NETWORK&%3B%3Bsa%3DU&
%3B%3Bei%3D7SXNUfCzJ4npPK3NgaAB&%3B%3Bved%3D0CKABEBYwLA&%3B
%3Busg%3DAFQjCNFkuMQoYmKV7otJWH8XhDQuyWsThw/wp-content/themes/wp-content/themes/
intelligible/timthumb.php?src=URL
/&%3Bsa%3DU&%3Bei%3DUPLuUJzMJojQsgaK1oH4Aw&%3Bved
%3D0CHQQFjAjOKwC&%3Busg%3DAFQjCNFa2mF5vpai2FoiaIoQxORX_igmpw/wp-content/themes
/wp-content/themes/vilisya/timthumb.php?src=URL
What all of the entries had in common was the last part. The URL was in all entries the same.
/wp-content/themes/THEMENAME//timthumb.php?src=URL
I remembered that there was a Zero Day Vulnerability in many WordPress Themes in August 2011. The Vulnerability was in the image resizing utility called timthumb.php and allowed attackers to upload and execute arbitrary PHP code in your timthumb cache directory. So much for that.
When I visited the URL I found about 10 files, some encrypted with base64 and DEFLATE and some available in plain text. Some of the files had a 1337 PHP hacker shell as content but this was not interesting for me. The interesting part was an PHP IRC Bot, with all the features of a traditional botnet. And of course with all the needed information, such as server, channel and password to look at it a bit closer.
I connected with a standard IRC client to the server and entered the Channel both stood, including the password, in the PHP file. I counted around 80 bots, ok it's not the biggest botnet which I have seen but it is still active. After I started to collect a little bit more information about the bots, I was banned from the server by one of the Admins.
But I am sure that we will soon find out more information about this botnet.
