Old Image Resize Script Leaves 1 Million Web Pages Compromised

A serious code injection vulnerability affecting timthumb, a popular image resize script used in many WordPress themes and plugins, has been exploited in recent months to compromise over 1 million Web pages.

Estimating the impact is not an easy task, according to website integrity monitoring vendor Sucuri Security, which monitored the fallout of this flaw since it was first announced at the beginning of August.

The company's researchers have devised a method that involves using Google to search for compromised pages where the malicious code malfunctioned.

"If you are familiar with PHP/WordPress, you'll notice that [the attack] is adding the output of this function (counter_wordpress, which calls 91.196.216.30/bt.php) to the header of the compromised site," Sucuri Security's David Dede said.

"Everything is OK, but what happens when the site 91.196.216.30 goes down? If the site has display_errors enabled on PHP, this will show up: 'Warning: file_get_contents(http://91.196.216.30/bt.php?ip=IP&host=..'," he explained.

Searching for this error on Google returned over 1 million results and using filters for the last 30 days, returned over 200,000.

There are other factors to consider as well when trying to estimate the impact, like the fact that Google results correspond to compromised pages, not websites, as one website can have multiple pages infected. Also, not all servers have the display_errors feature enabled in PHP, which means no error will be outputted even if a site is affected.

It's also worth considering that Sucuri's method is used to estimate the impact of one particular attack. There's no telling how many websites compromised by different exploits targeting this vulnerability are out there. Dede believes that there could be a couple of million.

Webmasters should immediately replace the timthumb.php file bundled with their blog's themes or plugins with the latest version which is no longer vulnerable. However, it isn't enough to just patch currently active components, as leaving old timthumb versions anywhere on the server poses a similar threat.

"[Thousands] of sites were hacked because they had unused themes (or plugins) that included a vulnerable version of the script. Yes, in a lot of cases the script wasn't even enabled, it was just sitting there idle on the server," Dede said.

His recommendation is to remove old scripts or test accounts that are no longer necessary, because a new vulnerability that affects them can be identified at any time, and this doesn't apply only to WordPress blogs.

For example, many webmasters install a current version of phpMyAdmin, a popular Web-based database management tool, in order to perform a one-time task and then leave it on the server thinking it's patched up and password-protected.

Months later, someone can discover a vulnerability in that version and exploit it to inject malicious code in the underlying databases. This is not a theoretical attack. Compromises like this happen all the time and attackers use automated tools to search for vulnerable installations or crawl websites for default directories where these tools are usually located.

"Remove all unneeded software from the server. Even at rest, over time, the risk of being exploited is growing," Dede concluded.

Subscribe to the Security Watch Newsletter

Comments