I’ve had two reports in the last 12 hours of WordPress blogs that were compromised via the Timthumb hack being listed as malware by Google. If you try to visit either site, you are confronted with the following:
These sites are listed with the warning that “This site may harm your computer” in Google’s search results and Google blocks access to the site with a warning forcing you to manually type the URL into your location bar if you really do want to visit the site:
One of the site owners sent me the detailed info that Google Webmaster Tools was giving her:
This malicious code is appearing intermittently on this author’s WordPress site. I’ve seen this same pattern recently in blogs I’ve repaired and the way it works is that the site is periodically downloading new PHP code from a remote site run by the attacker and re-injecting it into the wordpress code. That allows the attacker to add, remove and update whatever code he/she is executing on your blog. So they could for example update any spam links every few hours.
To prevent your site being listed as malware clean it as fast as possible
The fastest way to do this, although it doesn’t gaurantee a complete clean, is the following:
- Remove all old plugins and themes you aren’t using.
- Upgrade all your plugins and themes to the latest versions and make sure none of them use an old version of Timthumb.
- Clean any Timthumb cache directories.
- Upgrade your entire wordpress installation, even if it’s at the latest version. This overwrites all wordpress files.
- Search your directory tree for any remaining suspicious files that contain base64_decode wrapped in an eval() statement or URL encoded data. More info on how to do this search here. Delete any files you find. NOTE: If you don’t find any additional infected files in this step, it’s highly likely that your site is not clean. Every attack that I’ve seen so far using Timthumb gets in by uploading a file into the cache directory and then uploads an additional file into a writeable directory on the blog to ensure continued access once the cache is cleaned. Make sure you find that additional file.
- Make sure the only directory that is writeable in your wordpress installation is wp-content/. Directories like wp-admin and wp-includes should be read only by the web server.
If you are already listed as malware by Google, here is what to do
Potential long term impact of this vulnerability
The fact that I’ve seen the same domain being used by attackers on multiple blogs suggests this attack may be partially or fully automated. The worst case scenario is that we end up with a WordPress botnet with thousands or tens of thousands of servers on high bandwidth links compromised and able to send spam emails or launch a huge DDoS attack.
Keep in mind that most botnets are compromised windows machines on relatively slow home broadband connections. Their uplink speeds are around 512kbps. These WordPress servers are on links that are a minimum of 10 Megabits per second each, so they have plenty of firepower for a coordinated attack. One WordPress server is equal to at least 20 infected PC’s in terms of pure bandwidth firepower.
If you are searching the web for tutorials on hacking, I recommend you begin from the simple stuff and work your way up.
I had deleted swift theme which uses timthumb but when i checked my wp content folder, I found timthumb files inside the upload folder.
It seems if you have used a vulnerable theme before, the timthumb files are left behind even after deleting the themes.
I am having the same problem. Thanks for the help, lets see if it helps
Everyone has such great suggestions.
@ David Dede – Just tried your scanner, great tool. $90 for a year is pretty reasonable considering how much downtime would cost a company dependent on their website for business.
@Vid – great trick!!!! I would have been just running a search.
its all messed up, my site went down completely now cant even access it, hackers enjoy this , as its for fun they prove they are better than wordpress guys, this is pathetic, the wordpress guys better workout something fast, before all the sites go down and google blacklists it.damn
this is good and really informative article..
thank you
Apparently Hostgator altered mod_security to block the exploit on their hosting accounts.
Maybe other hosts could do so as well?
http://forums.hostgator.com/modsecurity-timthumb-update-t136535.html
Joe,
Not all hosts use mod_security, but other things host can do are..
1. block outgoing requests from the firewall (we did this)
2. block remote fopens
There are many ways to skin this cat, as long as it gets skinned is the goal
.
This has happened to me 3 times in the past week!
VERY helpful
One the site I recently cleaned I also found the shell script in the servers /tmp directory so it is very important to check every folder that the php user can write to.
I think Google is doing the right thing here.
If you don’t (or are not allowed to) use Perl on your server, in FileZilla there is a function to do a ‘remote search’ (under the binoculars on the menubar). Do a search for ‘tim’ (just to be sure) and see what it comes up with. It is not very fast, but you can run it in the background, as it displays a list with results.
In general, here are some tips to secure your blog: http://www.hongkiat.com/blog/hardening-wordpress-security/
And, for complete backups: http://www.blogvault.net (I can not tell if they scan/detect, so you need to check before your restore your site).
Thanks for the instructions! I have shared it on G+.
A further suggestion on hardening your site: in addition to making all files and directories outside of wp-content non-writeable by the server, wouldn’t it be a good idea to additionally write-protect all the PHP files *inside* wp-content as well? Let’s say you have the owner of the files as www-data and the group as your user, for convenience; then executing
sudo chmod u-w wp-content/*.phpand
sudo chmod u-w wp-content/*/*.phpand
sudo chmod u-w wp-content/*/*/*.phpand so on (however many layers deep as are needed, and of course executed from the WP root) could prevent the malware from getting a toehold. That is, even if they somehow inject a page with malicious code amongst your nicely cleaned PHP files, it won’t be able to do anything to modify your files, and that should stop the infection until a routine scan can weed out the intruder.
P.S. I just gotta say, I am SO glad I usually develop with Python in Django and Pinax……….
LOL! You purist you. PHP is what we use to get the job done around here.
Yes; and then you can do it again, and again, and again, as it breaks under attack!
sry for the dbl comment but I just saw Vid’s suggestion and was wondering if that changes all instances of thmthumb everwhere it is including in the txt of files like functions or just swaps the file to the new safe one? Do we still need to go in and change all the fixed_timthumb.php back to just timthumb for it to work properly?
This message was exactly what alerted me to the problem last Friday. Google must have has been doing it since at least then. Thanks to your posts, I updated my timthumb scripts and scrubbed all the suspicious base64 calls out. I never found an entire suspicious file though, so, I should go back and check. hopefully nothing has “respawned” because I didn’t clean it completely last time.
Thanks for the info!
My site was hacked through timthumb and it looks like it was all automated..
I had these files in the compromised theme folder:
wp.php – the phpshell
sm3.php
r1.php
d.php
and a changed .htaccess file that pushed all inbound traffic from a list of search engines to a russian site on hitting my site.
Seems that the mail server was also being used to send out spam and then loads of the emails have bounced back and I can see the content of them – it seems that they are all linking to an sm3.php on other compromised blogs in each email, like a massive automated spam making worm.
I have hundreds of bounce backs – each with different domains. Many with wp.php still installed on them. These are all sending emails too.
I’m also getting loads of inbound http requests looking for sm3.php in my theme folder, which is not there anymore so it’s returning a 404 but I’m getting like at least 1 request a minute and this all counts to my bandwidth.
I guess the only way it will stop is if everyone realises they have been hacked and they tidy up their sites.
What a massive problem!
p.s. sorry for the big comment but thought it might help some people.
Cheers for all the info on your blog too.
Wow. This is worrying. Thanks for the detail James. Going to ping Matt M about this. Sounds like the wordpress core team may need to roll something out.
no worries, let me know if you need any more details..
Google blacklisted more than 2k sites with that malware so far. And the Sucuri scanner found more than 16k sites compromised:
http://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html
Anyone can do a quick site scan (for free) to see if it is hacked here:
http://sitecheck.sucuri.net
Thanks David. I ran your scanner on my site and a known infected site as comparison. It shows the site is listed as malware with Google but not that it’s currently running infected code. The attack periodically updates the site with a new payload. For some reason the attackers seem to remove the spam links and reinject them a few hours later, periodically. So the tool seems great, but just want folks to keep in mind that a local filesystem scan is the only sure way to tell if you currently have malicious code running on your site.
Mark and others reading this.. if you host a couple of thousand wordpress sites like us, here’s a quick brute force way of at least making sure you don’t have the vulnerable timthumb on your sites.
1. Copy the latest timthumb from google code on to your server and called it fixed_timthumb.php
2. cd /
3. find . -name timthumb.php | xargs -i cp /your/brand/new/fixed_timthumb.php {}
Vid you’re awesome! Great idea.
For those of you who don’t know, Vid runs WordPress hosting company ZippyKid.com.
thanks for the plug
. Keep up the great work
It must be them Joomla peoples mad that WordPress is better. Just kidding..lol
Can they change all the theme/plugins files to the new timthumb file b4 we get them to use on our sites? While they are still in the reposit? Then we could just re-upload all our themes/plugins wo the bad stuff?