Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Old image resize script leaves 1 million Web pages compromised

Timthumb can still be attacked when found in unused WordPress themes

A serious code injection vulnerability affecting timthumb, a popular image resize script used in many WordPress themes and plugins, has been exploited in recent months to compromise over 1 million Web pages.

Estimating the impact is not an easy task, according to website integrity monitoring vendor Sucuri Security, which monitored the fallout of this flaw since it was first announced at the beginning of August.

The company's researchers have devised a method that involves using Google to search for compromised pages where the malicious code malfunctioned.

"If you are familiar with PHP/WordPress, you'll notice that [the attack] is adding the output of this function (counter_wordpress, which calls 91.196.216.30/bt.php) to the header of the compromised site," Sucuri Security's David Dede said.

"Everything is OK, but what happens when the site 91.196.216.30 goes down? If the site has display_errors enabled on PHP, this will show up: 'Warning: file_get_contents(http://91.196.216.30/bt.php?ip=IP&host=..'," he explained.

Searching for this error on Google returned over 1 million results and using filters for the last 30 days, returned over 200,000.

There are other factors to consider as well when trying to estimate the impact, like the fact that Google results correspond to compromised pages, not websites, as one website can have multiple pages infected. Also, not all servers have the display_errors feature enabled in PHP, which means no error will be outputted even if a site is affected.

It's also worth considering that Sucuri's method is used to estimate the impact of one particular attack. There's no telling how many websites compromised by different exploits targeting this vulnerability are out there. Dede believes that there could be a couple of million.

Webmasters should immediately replace the timthumb.php file bundled with their blog's themes or plugins with the latest version which is no longer vulnerable. However, it isn't enough to just patch currently active components, as leaving old timthumb versions anywhere on the server poses a similar threat.

"[Thousands] of sites were hacked because they had unused themes (or plugins) that included a vulnerable version of the script. Yes, in a lot of cases the script wasn't even enabled, it was just sitting there idle on the server," Dede said.

His recommendation is to remove old scripts or test accounts that are no longer necessary, because a new vulnerability that affects them can be identified at any time, and this doesn't apply only to WordPress blogs.

For example, many webmasters install a current version of phpMyAdmin, a popular Web-based database management tool, in order to perform a one-time task and then leave it on the server thinking it's patched up and password-protected.

Months later, someone can discover a vulnerability in that version and exploit it to inject malicious code in the underlying databases. This is not a theoretical attack. Compromises like this happen all the time and attackers use automated tools to search for vulnerable installations or crawl websites for default directories where these tools are usually located.

"Remove all unneeded software from the server. Even at rest, over time, the risk of being exploited is growing," Dede concluded.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Google, Hewlett-Packard, HP
References show all
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security, Wordpress, Exploits / vulnerabilities
Latest Blog Posts
Whitepapers
  • Manufacturing Overview
    An enterprise resource planning (ERP) software solution provides the ability to access the right information, from the right source, at the right time, empowering all users throughout the supply chain. This report explains how your solution can identify the resources needed to capture, produce, ship, and account for customer orders, while supporting the various manufacturing processes.
    Learn more »
  • Avoiding Common Pitfalls of Evaluating and Implementing DCIM Solutions
    While many who invest in Data Centre Infrastructure Management (DCIM) software benefit greatly, some do not. Research has revealed a number of pitfalls that end users should avoid when evaluating and implementing DCIM solutions. Choosing an inappropriate solution, relying on inadequate processes, and a lack of commitment / ownership / knowledge can each undermine a chosen toolset’s ability to deliver the value it was designed to provide. This paper describes these common pitfalls and provides practical guidance on how to avoid them.
    Learn more »
  • Information Management
    Valuable data can be a needle in a haystack, but by leveraging the value in existing information assets, organisations can generate real and achievable gains in revenue generation, IT investments and productivity gains. This whitepaper discusses how Information Management (IM) is a multi-faceted discipline that can be employed to meet or exceed your business objectives.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index

Recent comments