There are many self hosted Blogs depending on open-source WordPress.org and who have lately been affected by hackers. Bloggersweekly has been attacked also and that’s why I am writing this post. I found the Superpuperdomain hacker script in my folders. But before directing any blame towards WordPress.org, it is very important to note that this particular security breach only occurred because the hackers were able to tap into a vulnerable image re-sizing script named TimThumb. And because of its popularity, it has done quite a bit of damage:
Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes.* Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications. That, combined with the severity of the flaw, means that this is one of the more serious issues in the WordPress ecosystem in a while, even more than normal because it wasn’t in core.
It could have gone a lot of ways, but the incident brought out the best in the community. The core team sprang into action searching through the theme directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it. Mark Maunder, who originally discovered and broke down the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up. Forking is not usually ideal because it fragments the market for users but Mark soon connected with Ben Gillbanks, long-time WordPress community member, and they’ve teamed forces to release TimThumb 2.0, a collaboration that exemplifies Open Source at its finest. An updated plugin should be in the directory shortly…..Learn More
The TimThumb issue was the whole problem:
Yesterday we learned of a vulnerability in a popular image resizing library called TimThumb, which is used in many WordPress themes and plugins. The vulnerability was first reported by Mark Maunder in a post on his blog, and has been confirmed by the author of TimThumb.
The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.
We recommend deleting timthumb.php or thumb.php if your site will work without them. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory. After you remove the TimThumb library make sure you check that your site is still working correctly…..Learn More
I was concerned and wanted to double check if I were infected so I ran a scan with Securu.net here. Long and behold I was and then I started to investigate further. Here’s some more info:
Many people are asking us about this “counter-wordpress.com” type of malware, so we will post some details here. Our scanner has been identifying it for a while, so if you think your site is compromised, just check it in there.
So first, to make things clear, this is happening on sites that include the vulnerable timthumb.php script on them. You have to make sure that none of your themes or plugins are vulnerable. You can get more information here on how to verify it: TimThumb PHP Vulnerability – Just the Tip of the Iceberg. This is not a vulnerability on WordPress……..Learn More
Now and before I continue with the the ongoing developments, I suggest 3 very important steps, if you were or were not hacked:
Step 1. Go to WordPress.com here and change the password you signed in on when you established your Blog. You had to do this when activating Akismet.
Step 2. Change the password to your Blog.
Step 3. Change the password to your FTP program. You need to do this through your hosting control panel.
Step 4. Turn off Pingback throughout your Blog and in everyway possible way it can come back to you. Refer to my last post and where I covered it extensively.
Step 5. Block all Spam IP’s that can communicate with your blog and dump a hack on you. Go to this article here
Now you should feel much better but there’s much more to do. There’s some more stuff to check on and even if your scan did not pick up any infected files you can still be infected. This brings me to my next and it concerns a very powerful plugin.
Step 6. I STRONGLY suggest you grab this plugin immediately and no further damage will be done:
WordPress website security protection. BulletProof Security protects your website from XSS, CSRF, Base64 and SQL Injection hacking attempts.
Website Security Protection: BulletProof Security protects your website from XSS, CSRF, Base64_encode and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. One-click Website Maintenance Mode (HTTP 503). Additional website security checks: DB errors off, file and folder permissions check… System Info: PHP, MySQL, OS, Memory Usage, IP, Max file sizes… Built-in .htaccess file editing, uploading and downloading.
The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website. Activate .htaccess website security and .htaccess website under maintenance modes from within your WordPress Dashboard – no FTP required. The BulletProof Security WordPress plugin is a one click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files. BulletProof Security protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing additional website security protection.
BulletProof Security allows you to add .htaccess website security protection from within the WordPress Dashboard so that you do not have to access your website via FTP or your Web Host Control Panel in order to add website security protection for your WordPress site. BulletProof Security Modes: Root .htaccess security protection, wp-admin .htaccess security protection, Deny All .htaccess self protection, WordPress default .htaccess mode and .htaccess Maintenance Mode (503 Website Under Maintenance). In BulletProof Security Mode your WordPress website is protected from XSS, CSRF, Base64_encode and SQL Injection hacking attempts……Learn More
This will halt further hacking but there is much more. I will be back with more in my next post. Meanwhile take a look at how to update your TimThumb PHP code if either a Theme of yours is using it or a plugin depends on it. Here’s a list of all the WordPress Free themes that use the TimThumb.php code. This code should be located in your Theme Editor. If you have a Premium theme, do a search to see if it uses Timthumb, they probably do. Here’s an article for the Gabfire Premium Theme which will help you either way. Here are the plugins that have been used to hack because they workd with TimThumb.
Here’s an article that will help you copy and paste the new version of TimThumb.
I will be back with more on my next post (very soon). Meanwhile, do some searching on your own, there’s always new developments.
Update: Part Two here