Feeds

Thousands of WordPress sites commandeered by Black Hole

Webmasters, update TimThumb now!

The essential guide to IT transformation

Mass attacks that exploit a known vulnerability in the WordPress publishing platform have continued to bear fruit for hackers, with thousands of websites claimed in the past few weeks, a researcher said.

The security bug, in a widely used image resizing utility known as TimThumb, allows attackers to seize control of WordPress websites, one of the victims warned nine weeks ago. A few days later, a security researcher found almost 4,400 WordPress sites had been commandeered in an attack that poisoned Google Image results with sites that attempted to trick users into installing counterfeit antivirus software. He speculated the cause was the same TimThumb exploit.

Although a fix for the TimThumb vulnerability has been available for more than two months, plenty of websites remain vulnerable. According to a research report published by Avast on Monday, thousands of websites have been infected by Black Hole, a hack-by-numbers toolkit available in underground forums for about $1,500 or for free for a scaled-down version. The kit installs an iframe in infected sites that silently redirects visitors to malicious sites.

"The bad guys are using a security vulnerability in non-updated TimThumb," Avast researcher Jan Sirmer wrote. "This allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files."

Avast alone blocked the redirection attempts from 3,500 unique websites in August and 2,515 sites last month, and Sirmer said he expects to see similar results this month. That may be only a small percentage of the total number of infected sites, since Avast is used by a small minority of people browsing the web. Sirmer said attackers may have compromised some of the websites by exploiting weak passwords.

Once a site is infected, it's not always easy to remove all the malicious code. Denis Sinegubko, the Russian researcher who discovered the WordPress attack used to poison Google Image results, has advised webmasters of compromised sites to look for rogue rules in the .htaccess files in the site root and above the site root directory. He has more here. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?