A Nasty Hole in Timthumb.php
I’ve used the StudioPress Genesis themes for over a year now, but previously used a variety of others. One, Metamorphosis, included a handy thumbnail generator called Timthumb.php (or more precisely, thumb.php).
It appears that someone figured out how to exploit Timthumb to insert arbitrary code in WordPress blogs.
Since I was no longer using that theme, I had forgotten it was even installed. But it seems that users can manually request theme files even if the theme isn’t activated.
On Sunday, someone from IP address 188.8.131.52 (specenergo2.ru) requested dozens of different themes that use timthumb.php or thumb.php. They hit the jackpot with the following request:
184.108.40.206 - - [22/Jan/2012:02:00:52 +0000] "GET /wp-content/themes/metamorphosis/thumb.php HTTP/1.1" 400 319 "-" "-"
This was clearly an automated attack, and provided a solid clue about the hack.
220.127.116.11 - - [24/Jan/2012:10:12:39 +0000] "GET /2008/07/26/move-os-x-time-machine-backups-new-disk//wp-content/plugins/backups/cache/68d579e3ed4163b172ee2b887dc8ba54.php HTTP/1.1" 301 839 "-" "Mozilla/5.0 (Windows;U;Windows NT 6.0; en-US; rv:18.104.22.168pre) Gecko/20070928 Firefox/22.214.171.124 Navigator/9.0RC1"
This code apparently caused site visitors to open an invisible frame with ads in it. It sets a cookie so it won’t run more than once, and also checks to hide itself from many spiders and search engines.
So it’s basically a web ad scam, intended to defraud someone like Yahoo by making it appear their ads are getting more impressions and clicks than they really are.
I was able to detect the malware using sitecheck.sucuri.net, which is where this name comes from. Note that they claim it comes from infected desktops, but I am fairly certain it came instead from the Timthumb php attack.
Cleanup was not at all straightforward, since it was mixed with detection and deduction.
The first thing to do was protect Timthumb from further exploits. I installed Timthumb Scanner, which detects and updates compromised versions of Timthumb.php.
Next, I reinstalled WordPress and my themes. Then I blew away my Super Cache files.
I also changed my blog password and WordPress cookie salts.
Finally, just to be safe, I ran chkrootkit and changed my UNIX passwords.
This appears to have eliminated this particular attack. I hope this helps!
Christian Mohn says
The lesson here is that you need to 1) keep your unused plugins/themes updated as well as the used ones or 2) Delete unused “cruft”.
Since the WordPress plugins/themes lives in wp-content/ they are all live and accessible, even if they are not active in the WordPress install.
BTW, this also goes for other “left over” files, like temp files your editor might save when editing files. If you use the Joe editor to manually hack away at files, you might see fun files like wp-config.php~ in your wp-content/ folder, and this file is also web accessible and since it´s not named .php it won´t be processed by PHP.
Guess what that file contains?
Sounds like you are not sure if you removed the reasons to avoid it in future and what they were?
Or you are?
I believe that a blog can be compromised through 2d party services being compromised to which it gives access (starting from Google+ and ending by Disqus)
I’m confident the malware came from the Timthumb exploit documented here, though I agree that the more you use other services the more vulnerable you are. And this was a clever and durable attack. Technically interesting but personally annoying.
Michael McNamara says
It’s always the small details that trip people up… I had a test/development site and had an old copy of Thesis on it. Thankfully I was restricting access via htaccess to just a few machines.
Thanks for the story!