We have talked about the TimThumb WordPress plugin exploit before. If you haven’t read it yet, I recommend you read our previous post here: Vulnerability in TimThumb WordPress Plugins – The Effects.
Today I found quite a few TimThumb related URLs when I was checking our Advanced Classification Engine detection feedback, so I ran one of them in the lab:
Obviously, the sites were hacked. I digged a little bit more and, no surprise, there are more compromised sites out there, according to our WebsenseR Security LabsT ThreatSeekerT Network.
From checking the IP addresses of the sites, we can see that these sites are mainly located in the United States.
From the first figure, we can see there is a traffic distribution system behind the attack. So again, we go to our system, and it is surprising this time- they are all based on the same ASN – ASN 16265 – LEASEWEB LeaseWeb B.V., a very low reputation ASN.
The final landing page is http://us.yimg.com/i/s/, and it’s not available now. But, the landing page could be anywhere- as with some exploit kits we have seen before, the hacker may still have control of the compromised sites.
Speaking of Wordpress exploits, http://www.wordpressexploit.com has done a very good job summarizing published WordPress vulnerabilities. The results are quite scary- 35 exploits in the last month! That is a lot of work for WordPress users.
People have made many attempts at hardening WordPress installations, and have even written a number of plugins to do the security scanning (such as, Timthumb Vulnerability Scanner). However, they are also plugins, like the exploitable plugins discovered before, and may also be exploitable.
Websense TRITON Advanced Classification Engine(ACE) protects customers against this attack.
Leave a reply
