In this attack, hackers exploit a security flaw in a popular file used by WordPress and other website-building platforms to crop and resize images (“Timthumb.php,” thus the name).

Hackers use the security hole to install malicious code or files into a website or server. From there, they can launch spear-phishing campaigns and denial-of-service attacks — where hackers overwhelm a website’s server by flooding it with requests, making the site unresponsive.

Timthumb attacks have hit millions of websites over the last two years, most of which have been small businesses, said StopTheHacker’s Banerjee.

“Business owners often don’t even know that their sites have been infected because it works silently,” he said, adding that the security flaw can be fixed with a patch.

By then, the damage has been done. Moreover, an infected website that’s launching DoS attacks also runs the risk of being blacklisted by Google.

The vulnerability was first discovered last August and has affected at least over 1.2 million websites.

Based on our analysis, exploiting the said vulnerability allows an attacker to insert a file into the target site’s Web servers. In the attacks we’ve seen, affected websites were injected with PHP scripts hosted in sites that have strings such as flickr.compicasa.comwordpress.com, and img.youtube.com.

Note that the URLs used to host the PHP scripts are not related to FlickrPicasaWordPress, or YouTube. The exploit includes those strings to bypass TimThumb’s validation process. It turns out that TimThumb looks for media hosting sites strings before allowing the upload to go through.

Once inserted into the Web server, the attacker now has a connection to the database and can perform other attacks. Attacks can vary from loading malicious files through the affected websites, to exfiltrating information from the affected server itself. We were able to retrieve a few samples of the inserted PHP files, and they are now detected as PHP_IRCBOT.AHCPHP_CREW.ASD, and PHP_RUMMAH.HG.

Vulnerability Leads to Malicious Code Execution & Backdoors

While checking for a file header may sound like a good idea, it doesn’t take into account that PHP can ignore anything outside of the <?PHP ?> tags. This means that hackers can add malicious PHP code at the end of a real image and their code will be executed whenever the file is requested.

This might not be a big problem if the script only downloads files from trusted sites that are unlikely to host malware. However, TimThumb only checked that the beginning of the URL matched popular lists of sites like:

  • com
  • com
  • com
  • com
  • youtube.com
  • com
  • com
  • wikimedia.org

For more Cyber Security Information contact us at help@theweborion.com