Old image resize script leaves 1 million Web pages compromised

Timthumb can still be attacked when found in unused WordPress themes

A serious code injection vulnerability affecting timthumb, a popular image resize script used in many WordPress themes and plugins, has been exploited in recent months to compromise over 1 million Web pages.

Estimating the impact is not an easy task, according to website integrity monitoring vendor Sucuri Security, which monitored the fallout of this flaw since it was first announced at the beginning of August.

The company's researchers have devised a method that involves using Google to search for compromised pages where the malicious code malfunctioned.

"If you are familiar with PHP/WordPress, you'll notice that [the attack] is adding the output of this function (counter_wordpress, which calls 91.196.216.30/bt.php) to the header of the compromised site," Sucuri Security's David Dede said.

"Everything is OK, but what happens when the site 91.196.216.30 goes down? If the site has display_errors enabled on PHP, this will show up: 'Warning: file_get_contents(http://91.196.216.30/bt.php?ip=IP&host=..'," he explained.

Searching for this error on Google returned over 1 million results and using filters for the last 30 days, returned over 200,000.

There are other factors to consider as well when trying to estimate the impact, like the fact that Google results correspond to compromised pages, not websites, as one website can have multiple pages infected. Also, not all servers have the display_errors feature enabled in PHP, which means no error will be outputted even if a site is affected.

It's also worth considering that Sucuri's method is used to estimate the impact of one particular attack. There's no telling how many websites compromised by different exploits targeting this vulnerability are out there. Dede believes that there could be a couple of million.

Webmasters should immediately replace the timthumb.php file bundled with their blog's themes or plugins with the latest version which is no longer vulnerable. However, it isn't enough to just patch currently active components, as leaving old timthumb versions anywhere on the server poses a similar threat.

"[Thousands] of sites were hacked because they had unused themes (or plugins) that included a vulnerable version of the script. Yes, in a lot of cases the script wasn't even enabled, it was just sitting there idle on the server," Dede said.

His recommendation is to remove old scripts or test accounts that are no longer necessary, because a new vulnerability that affects them can be identified at any time, and this doesn't apply only to WordPress blogs.

For example, many webmasters install a current version of phpMyAdmin, a popular Web-based database management tool, in order to perform a one-time task and then leave it on the server thinking it's patched up and password-protected.

Months later, someone can discover a vulnerability in that version and exploit it to inject malicious code in the underlying databases. This is not a theoretical attack. Compromises like this happen all the time and attackers use automated tools to search for vulnerable installations or crawl websites for default directories where these tools are usually located.

"Remove all unneeded software from the server. Even at rest, over time, the risk of being exploited is growing," Dede concluded.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityWordpressExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?