TimThumb.php Malware attacks affecting WordPress sites

During the last two weeks of August we started seeing an alarming increase in the number of WordPress based websites that had been broken into. Within days we had handled more of these than we had seen in 12 years of hosting (numbers still thankfully in single figures though).

The security on our servers safeguards others sharing the same systems by ensuring that each break in is confined to just the FTP area of the affected user.

If you would like to quickly check your website for malware you can run a scan now using the following free service:

The issue is a zero day vulnerability in TimThumb.php that appears to have been first exploited across the Internet around the start of August. This security vulnerability allows the attacker to upload arbitrary files to people’s websites, including scripts, which can then be executed on the compromised site.

Zero day vulnerabilities are where hackers (crackers) attempt find a security hole in widely used software that is currently unknown by anyone else, including the software developer.

If successful, these then become zero day exploits where the cracker(s) then use this knowledge to carry out attacks and break in to websites containing the vulnerable code, which they then use for their own means (for example: to distribute malware or viruses).

Attackers scan random websites looking for vulnerable scripts, which can then be exploited to run pretty much whatever variant of malware or similar form of abuse they see fit to use.

WordPress allows for the use of themes and plugins created by third parties and TimThumb.php (along with many other scripts) has been included in many of these third party add-ons by the theme or plugin authors without any additional security measures being implemented.

It should be pointed out that this is not an issue with WordPress itself. The WordPress core development process is very tightly controlled and uses an excellent review process to help minimise vulnerabilities in the main WordPress code.

This issue here lies in third party plugins and themes, and not with WordPress, and with so many of these third party add-ons available, it’s not a simple task to identify potentially at risk sites.

More details about this issue can be found in the following external blog posts:

markmaunder.com – excellent explanation of how this attack works

sucuri.net – list of themes and plugins being scanned by attackers

sucuri.net – TimThumb.php – just the tip of the iceberg

sucuri.net – evolution of TimThumb.php malware and .htaccess redirections

This entry was posted in News, Security News and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *