The Register® — Biting the hand that feeds IT

Feeds

Thousands of WordPress sites commandeered by Black Hole

Webmasters, update TimThumb now!

By Dan Goodin, 2nd November 2011
  • print
  • alert

Agentless Backup is Not a Myth

Mass attacks that exploit a known vulnerability in the WordPress publishing platform have continued to bear fruit for hackers, with thousands of websites claimed in the past few weeks, a researcher said.

The security bug, in a widely used image resizing utility known as TimThumb, allows attackers to seize control of WordPress websites, one of the victims warned nine weeks ago. A few days later, a security researcher found almost 4,400 WordPress sites had been commandeered in an attack that poisoned Google Image results with sites that attempted to trick users into installing counterfeit antivirus software. He speculated the cause was the same TimThumb exploit.

Although a fix for the TimThumb vulnerability has been available for more than two months, plenty of websites remain vulnerable. According to a research report published by Avast on Monday, thousands of websites have been infected by Black Hole, a hack-by-numbers toolkit available in underground forums for about $1,500 or for free for a scaled-down version. The kit installs an iframe in infected sites that silently redirects visitors to malicious sites.

"The bad guys are using a security vulnerability in non-updated TimThumb," Avast researcher Jan Sirmer wrote. "This allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files."

Avast alone blocked the redirection attempts from 3,500 unique websites in August and 2,515 sites last month, and Sirmer said he expects to see similar results this month. That may be only a small percentage of the total number of infected sites, since Avast is used by a small minority of people browsing the web. Sirmer said attackers may have compromised some of the websites by exploiting weak passwords.

Once a site is infected, it's not always easy to remove all the malicious code. Denis Sinegubko, the Russian researcher who discovered the WordPress attack used to poison Google Image results, has advised webmasters of compromised sites to look for rogue rules in the .htaccess files in the site root and above the site root directory. He has more here. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (5)
Latest Comments
Jan Ingvoldstad
Reply Icon

TimThumb is not a WordPress plugin.

It is more commonly a part of themes and other WordPress plugins, so you won't know that your TimThumb is out of date. You have to trust that the WordPress plugin creators provide an updated version.

Unfortunately, many of the plugins and themes using TimThumb are commercially paid editions which are not managed directly by WordPress' own plugin database, you download and install them semi-manually or fully manually.

Also, these plugins and themes rarely publish which TimThumb version they use, they don't publish security advisories or notes regarding their products, and and and.

Nevermind that the entire concept of TimThumb is b0rken, technically speaking. :)

Generally, allowing pluggable PHP code is a Bad Thing security wise.

0
0
Andy Fletcher
Reply Icon

The problem with one press installs

...is that the hosting companies generally have old versions of WordPress. I helped a guy recently, his hosting package meant he couldn't do a "normal" WP install as he didn't have rights to create databases, and had to use their installer. If I hadn't told him he absolutely had to update imediately, he probably wouldn't have.

I've said it before, computers becoming seemingly easier to use is not necessarily such a good thing. Now everyone is using them.

0
0
Anonymous Coward
Anonymous Coward
Reply Icon

WordPress has an excellent system for in-place updates. (way better than Drupal for example). It highlights any out-of-date add-ons such as TimThumb and a couple of clicks will automatically download and install it directly to the site.

If people haven't upgraded then they probably aren't keeping a close eye on their site. The upside is that nobody is visiting them much either.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17