Zero-Day attack of popular WordPress image plug-in TimThumb, millions of pages vulnerable
An image resizing utility bundled in many free and commercial WordPress themes (templates) allows a hacker to upload and execute code remotely. The "Tim Thumb" utility is intended to go to photo sites like Flickr.com or Photobucket.com, grab and resize photos to display on your website. However the way the code is written - requiring only a partial match on the host name - allows the script to copy nearly anything into your WordPress site, including malicious scripts from hackers. The Tim Thumb tool is so widely used that a Google search returns nearly 40 million results for "Timthumb."
The attack is called a "Zero Day" attack because when a developer first learns of an attack that is called Day Zero. So a Zero-day attack is one exploited by hackers before the developer knows about the vulnerability, let alone knows how to fix it.
This nasty problem might be easier to solve if it were confined to only sites that use Timthumb, but the popular script has been re-used and renamed Thumb.php, a name which results in 61 million hits in Google. However, many of these results may be other programs that use the same filename.
All WordPress owners should start with a free check to see if your site has already been hacked:
Next, until a fix for the utility is released, WordPress owners should take temporary preventative measures. This means DISABLING IMAGE RESIZING on your site. THIS MAY CAUSE IMAGES TO APPEAR LARGE OR NOT AT ALL ON YOUR SITE but your site is less likely to be hacked. This is like nailing wood over the windows of your business during a tornado. Those WP owners who fully understand this, and are very comfortable using their web host's control panel, can do the following:
- Log on to your web host's control panel
- MAKE A FULL BACKUP of the site and database and save it to your local computer (personal computer)
- Check to be sure the backup really really happened and is 100% complete
- Then delete the following from your website:
WP owners who are NOT comfortable doing the above should immediately contact their web hosts (may cost additional for support) or your technical pro.
Note that this only finds the Timthumb script that is in the typical location, not any script that is renamed thumb.php or something else or is in an atypical file location.
Next, malware monitoring service Sucuri.net has released a script that checks for this and other vulnerabilities. Only after making and checking the requisite backups listed above, Wordpress owners who are very comfortable with their web host's control panel should immediately do the following:
- Download the script from http://sucuri.net/tools/sucuriwpcheck.txt
- Upload the script using your web host's control panel.
- Rename the script extension from .txt to .php
- Now run the script by typing the following into your browser's address bar:
The Sucuri.net script will tell you if there are no timthumb scripts or whether there is other action you should take. You must take these actions.This completes the emergency work, but do not stop here.
Next, you need to be sure you are informed the minute a fix is released for this or any other WordPress update or plug-in.
Go to http://google.com/alerts and set up a Google Alert as follows:
SEARCH: Wordpress security TYPE: Everything HOW OFTEN: As-it-happens VOLUME: All results DELIVER TO: Your most reliable email address.
After hitting the CREATE ALERT Button, check your email box for a verification email. You must click the verification link in that email to complete the alert setup. Watch your email box for a few days to be certain the alerts are coming in! Set up a new alert if none come in.
Now you will know the moment that a fix is released for the plug-in, and can take immediate action. On an ongoing basis, be sure to do the following:
- Always keep your WordPress site, themes and plug-ins updated
- Always, always back up your site. You may be able to use the plugin Automatic WordPress Backup
- Download plug-ins only from a reliable source like WordPress.org
- Only use plug-ins that are being actively updated for the current version and have received numerous good reviews
- Remove all plug-ins that you are not actively using.
There are many more steps to be taken as well. WordPress owners must actively educate themselves on security. Enlist a site monitoring service like Sucuri.net to scan your site every three to six hours for intrusions and receive alerts by email or to your mobile phone. If your site is breached, Sucuri will remove the infection and restore your site as best they can. Your daily or weekly backups will determine how disruptive this will be.
Pablo Alberto says:
Wow! thanks for your help,