4 replies to this topic

[ryan]

I just lost the better part of a day fixing a client's WordPress installation that had been hacked, turning their web sever into an IRC file distribution hub, a DDOS farm and peppered with exploit scripts all over the place. Despite running the latest version of WordPress, apparently the site theme had a plugin (TimThumb) with an exploit that lets folks turn your server into a playground.

Thankfully the hackers that did it weren't malicious and didn't want anything with the sites on the server, just the resources and bandwidth. So the site never had to come down, though the server load and bandwidth usage was through the roof for a couple days.

This may be old news for some, but I don't use WordPress much. If any of you are running WordPress anywhere, do yourself a favor and scan for TimThumb, even if you think everything is up-to-date. I did it like this:

grep -r allowedSites wp-content/*

If it turns up files like timthumb.php or thumb.php (or anything else), double check that they aren't vulnerable. Here's some more info:

http://www.exploit-d...b-exploitation/

http://markmaunder.c...rdpress-themes/

http://wordpress.org...bility-scanner/

While you are in your site files, do this grep as well:

grep -r base64 ./*

A lot of the scripts that I had to remove today were base64 encoded and eval'd, and this helped to track some of them down (among other searches). This will turn up some legitimate WordPress stuff too, but it's relatively easy to tell the difference. Assuming TimThumb was their entry point, they did a good job of hiding it. All the exploit code was elsewhere in other themes, plugins, cache files, hidden directories and more.

Since I lost so much time to WordPress and this issue today, I just wanted to post it in here in case anyone else runs into the issue. I'm just hoping I found everything...

[Soma]

I got an WP installation for a friend on my host. I experienced already this kind of base64 encoded scripts at the end of the index.php's... I think it is related to this then, thanks for the infos. I will also have to take a look then.

Sorry to hear you lost so much time on this. Glad you posted this here.

[MarcC]

Since you can use TimThumb with any CMS, it's definitely worth scanning for. I have used it in the past with Textpattern. It's neat but I remember last August & that was a gaping security hole. Glad it was forked and fixed and re-merged.

This may be old news for some, but I don't use WordPress much.

I don't do Wordpress projects anymore. I have had some clients ask about it because they heard about it from friends, but it's a low-end market and the good folks who develop WordPress have a roadmap that diverges from what most of my clients want and how they want it. I just tell my clients that and, if anything, it gets me more business. There is a very large audience for the product, but it's not my audience.

[slkwrm]

As far as I know PHPThumb (is TimThumb a fork of it?) also has similar kind of vulnerability. And I heard MODx developers found a way to get around it in Revo, but a lot of sites running other CMSs are still using this library and it's very careless thing to do. Btw, it seems like PHPThumb's creator is looking for a maintainer.

[ryan]

I shouldn't be angry with WordPress, as this TimThumb plugin is something completely separate from it and like you've mentioned, common in several other CMSs too. But there just seems to be a never ending supply things that can happen in WordPress like this. I suppose that's due to the popularity of the platform more than anything else. But even if it's not the fault of WordPress, I always worry about the clients that I have using it.