For the second time in two years, Dan Tynans website, eSarcasm.com has been hacked, this time with code that redirected referrals from Google, Yahoo and other search engines to Viagra ad sites. After conducting a thorough security review with Code Garage.com, an online security scanning website similar to Securi, they discovered that the point of entry was with the zero-day Timthumb vulnerability discovered back in August of 2011.
Last August, a zero-day vulnerability affected TimThumb that allowed hackers to execute their PHP code on any site that was running it. As it turns out, the WordPress theme we bought for the site employs pieces of TimThumb code — including the flaws that were exploited.
Now we have to wait for the spammy search results to evaporate from Google’s cache before everything returns to normal.
Be sure to read the tips that Dan and his security adviser provides on protecting your site. Despite the vulnerability being patched soon after its discovery, sites are still becoming compromised. Because of the long tail effect and so many websites using WordPress these days, who knows when this point of entry will stop being taken advantage of.
I guess this will be happening a long time into the future.
Thanks for the link to http://codegarage.com/, I hadn’t heard of them before. Looks like an interesting service, although the “backups kept for 30 days” business seems a bit crappy. I’d want access to much older backups in case I didn’t notice a problem for more than 30 days (entirely possible if something subtle was altered).
TimThumb exploits can be a pain in the ass. Took me nearly to weeks to really get to that bottom of it. And still, the problems only ended when I stopped using the script.
i use/used a shell script that will download a fresh copy of timthumb for all sites that use it, was a way to replace it without a headache
wget -q -O ~/newtim.php http://timthumb.googlecode.com/svn/trunk/timthumb.php
find . -name “timthumb.php” -exec bash -c “echo patching {} && cp ~/newtim.php {}” \;
rm ~/newtim.php
This continues to expose issues with the THEME > PLUG-IN model that WordPress employs.
If the core could handle a correlation between themes and the plug-ins, then frameworks and child-like functionalities could be updated without any harm to theme/template/core versioning.
Sadly plug-in functionality is consistently overwritten by theme functionality, even when that has nothing to do with templating/front-end. It completely falls foul of the most basic MVC-type separation of data, formatting and processing. Thus almost every theme front-loads it’s functionality into the VIEW aspect rather than the CONTROLLER.
For wordpress users who are not plugged in to the core or development, that makes it exceptionally difficult to keep both up to date and track of. In the short term (1 day) this was a TimThumb issue, in the long terms, it’s a WordPress Core issue about the management of it’s data. A decision that has completely gone the way of WP.com and bloggers.
I’m secretly laughing because when I googled for an article I read which backed this up it came from “he who shall not be named” 14 months ago: http://kevinjohngallagher.com/2011/03/now-theme-disconnect/
I’ve had to de-hack quite a few of these, and I found a plug-in in the repository that will 1) Scan, 2) Fix, and 3) Alert you of any vulnerabilities.
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
This is why it is important to use themes with auto-upgrade capabilities. It’s a good thing that Envato recently released a toolkit to help their theme developers use auto-upgrade notifications, as they are a huge source of themes that never get updated.
http://notes.envato.com/general/envato-wordpress-toolkit/
Hey Ryan –
Peter from Codegarage here.
We hear you. Longer backup retention periods in some form (i.e. daily backups to 30 days, monthly backups up to a year) is on our list, and I’m hoping we’ll have it implemented within the next 6 weeks or so. Thanks for having a look!
I’m not familiar with the eSarcasm site, so it’s not obvious to me where on that site to find these tips you’ve mentioned—and there doesn’t seem to be a direct link to them in your article :-(
This is why I stopped using the script all together. Why take the risk … it is always being updated, which is a pain and you are never sure if it is stable or not and for how long.
[...] 10th, 2012 in WordPress The TimThumb vulnerability is still in the wild as another major site fell victim to it just yesterday. As sad as this situation may be, it just goes to show that some sites may still be running the [...]
Note: the Theme Check Plugin will also alert that a Theme is using TimThumb.
This is the Plugin used by the Theme Review Team, and TimThumb alerts as a warning-level notice, which means that a Theme with TimThumb bundled won’t even pass the Theme Repository uploader script checks. Themes using TimThumb are no longer accepted in the official repository, so if you want to be certain that you are not vulnerable, I recommend using a Theme from the official repository.
@Brian Krogsgard – It’s a little off topic, but there’s also a plugin called Theme Updater that will allow anyone who hosts their themes on Github to allow automatic updates through the use of Git Tags. That way any security patches can be fixed and pushed out even if the theme isn’t in the official Repo.
I think that a non-repo third-party service that verifies themes that are deemed “safe” would be useful, especially since a lot of the best themes use non-GPL compliant parts (Shadowbox, Skeleton Framework, just to name a few)
@Mitch Canter – that’s a good one to note! thanks.
@Brian Krogsgard – Here’s the original post, FYI
Lol. I was just contracted to clean a multi site (192 subblogs total) hit with the timthumb exploit not more than 5 days ago… Problem was an out of date script in the nivio slider plugin (outdated version)… I was astounded that people don’t update regularly.. or backup for that matter..
Funny thing is, that after the site was infected, it ran probes on a long list of dreamhost accounts for the same timthumb exploit…
if you have ever used Swift Theme you need to check you image folder. I discovered Tim Thumb files left behind after I deleted the theme.