WordPress Hacks revealed.
Thursday, August 25th, 2011So there is a new wordpress hack that is running rampant right now. It is exploiting the TimThumb.php script that is commonly found in many wordpress themes, and plugins. The image resizer script “timthumb.php” has a known and very large security hole that has recently been the target of many hacks. This script is widely used in WordPress themes and plugins, as it provides a simple and quick way to resize and modify images “on-the-fly”, and is easily integrated into both themes and plugins.
What does this security compromise do?
This security hole allows the attacker to arbitrarily upload or create files and folders on a compromised account, which then can be used for a myriad of nasty things. This compromise often causes the site to be flagged as Malicious by Google, driving away customer traffic. Furthermore, it infects the database, several WordPress core files, the .htaccess file, and typically adds additional deeply-hidden “backdoor” files, intended to re-infect an account on demand.
How can I tell if my account is compromised?
Unfortunately the code and referring URL’s in the offending hack are continually updated, showing different referrers and script names periodically, making searching for this compromise either very difficult or impossible to do on a wide scale. However, there is a guide here that can be used to at least determine if your file is compromised:
http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/
There is also a tell-tale error that will appear on customer sites; they typically look like this:
Warning: Cannot modify header information – headers already sent by (output started at /home/user/public_html/wp-settings.php:332) in /home/user/public_html/wp-includes/pluggable.php on line 934
What should I do?
It is strongly advised that if you are using this script to immediately either patch the existing copy of timthumb.php or upgrade it to a version above 2.0, which are supposedly secured by it’s developers. The latest code can be found here, at the Google Code website:
http://timthumb.googlecode.com/svn/trunk/timthumb.php
Alternatively, the file can be updated without going to Version 2.0, by using a patch available here:
http://code.google.com/p/timthumb/issues/list
It would appear that a number of developers using “timthumb.php” have already updated their scripts to the safer version, or patched it with one of the available patch scripts floating around on the Internet. However, please note if the site was compromised already, patching will not fix anything. Have them check with their developers of theme vendor for a patch.
But I need my site up NOW!
You can temporarily restore functionality to the website by removing the 4 or 5 blank lines at the end of the settings.php file, but this simply allows the site to run again, versus actually remove the compromise. Because the compromise arbitrarily creates, uploads and modifies files and directories, removal can be difficult or nearly impossible for even a skilled user. In fact, the best way to recover from this is to restore a clean backup then patch your site from there.