exploit

The Aftermath Of The TimThumb Vulnerability

By Jeffro on November 1, 2011

Sucuri Security has a great post that begins to review the aftermath of the massive exploitation of the TimThumb image re sizer script. According to their calculations, about a million pages have been compromised by the script but when filtering down their results for the past thirty days, there were over 200,000 results. The exploitation of the script is still an ongoing problem and will most likely continue to be for the foreseeable future. If you think an old version of the TimThumb script is on your server, use the TimThumb vulnerability scanner plugin.

The TimThumb exploitation event is interesting in that so many websites became compromised despite the issue not being relevant to the core of WordPress itself. I wonder if there are any other popular scripts or dependencies that plugins or themes use that could end up in the same situation? ∞

Posted in News | Tagged exploit, images, security, timthumb | 5 Responses

WordPress.Net.IN Taken Offline

By Jeffro on June 7, 2010

Back on June 1st, Michael VanDeMar published a lengthy post explaining the process he goes through in order to clean up an infected website. One exploit that Michael points out is a bad index.php file which if ran as an include(), pulls bad information from the domain WordPress.Net.IN. This domain according to Michael has been in existence for at least three years, first being registered in 2007.

Not only is it being used as an exploit delivery mechanism, but it’s violating the WordPress trademark. According to comments made on the post by Matt Mullenweg, he had attempted to contact the domain registrar to have the domain taken offline.

Okay, well short story is I looked into this when the hack first came up, but haven’t noticed it since and haven’t thought about the domain since then. I’ll contact some friends in the domain business to see what we can do now. (We have a lot more resources than three years ago.)

A few days later, Matt has confirmed that the domain has been taken down due to some help from Justin at GoDaddy. However, there is a difference between taking a domain down and taking ownership of it due to the WordPress trademark. It’s not clear yet whether Matt has put in the effort to try and take ownership of the domain. If not, it’s possible that at some point down the road, the domain will continue to be used but on a different registrar/host which wouldn’t be good for anyone, especially if it were to continue being used as an exploit delivery tool.

I’m interested in how the WordPress trademark is being protected. Is it the sole work of Matt going after violators or is there a team of lawyers acting on Matt’s behalf? I’d also be interested to hear in how a typical trademark violator is dealt with. Everything from discovery to the process of getting it removed or taking over ownership. I think it would be something a lot of folks in the community would be interested to know about.

As for the other point in Michael’s post regarding priorities, meh.

Posted in News | Tagged domains, exploit, hosting, trademark | 8 Responses

Steps To Diagnose And Repair The Pharma Hack

By Jeffro on April 16, 2010

Chris Pearson who’s personal site recently became infected with the Pharma Hack which took advantage of his sites popularity and back-links to cloak spam links in Google results has published an in depth piece on how to diagnose and fix the problem. Chris goes into detail into what the hack does and how to use tools such as php My Admin and FTP to locate if you’ve been infected or not. According to his analysis, this hack is pretty clever in the way it accomplishes its goals without being blunt about it. There is no telling how long the spam links would have existed had it not been for Pearson fans letting him know about it. Unfortunately, Chris Pearson has no idea how the hacked files got into his account.

At this time, there is still one huge unanswered question about the WordPress pharma hack: How in the hell did the hackers manage to get into your server in the first place? I’ve received reports of the pharma hack on a variety of different Web hosts and server configurations, so it’s clear that the main vulnerability extends beyond a single host/server platform. So far, the only common denominator between the sites I’ve examined is that they’re all running WordPress, but even this fact doesn’t mean that WordPress itself is the problem.

There is currently an ongoing thread in the Tavern forum where we are trying to piece together the various bits of information to locate a series of consistencies but with reports being spread out amongst different hosts and environments, the one commonality between them all is the use of WordPress. On the surface, this has everyone thinking there is some inherent flaw in the WordPress software causing this attack. Until deemed official, this is not the case, it’s just a similarity. If you have been hit with this attack, you are encouraged to participate in the thread and explain the circumstances that occurred in your case.

Kudos to Chris Pearson for diving deep into the issue and then providing a fix that hopefully, solves the problem for other people in the community.

Posted in News | Tagged cloak, exploit, hack, pharma | 3 Responses