We were recently alerted to the reports of an attack leveraging a vulnerability in TimThumb — a PHP script for cropping, zooming, and resizing Web images (.JPG,.PNG, .GIF) and used as an add-on script on WordPress. The said vulnerability enables cybercriminals to perform local file insertion. When successfully exploited, it inserts a PHP script, which may be used for other data hacks.
The vulnerability was first discovered last August and has affected at least over 1.2 million websites.
Based on our analysis, exploiting the said vulnerability allows an attacker to insert a file into the target site’s Web servers. In the attacks we’ve seen, affected websites were injected with PHP scripts hosted in sites that have strings such as flickr.com, picasa.com, wordpress.com, and img.youtube.com.
Note that the URLs used to host the PHP scripts are not related to Flickr, Picasa, WordPress, or YouTube. The exploit includes those strings to bypass TimThumb’s validation process. It turns out that TimThumb looks for media hosting sites strings before allowing the upload to go through.
Once inserted into the Web server, the attacker now has a connection to the database and can perform other attacks. Attacks can vary from loading malicious files through the affected websites, to exfiltrating information from the affected server itself. We were able to retrieve a few samples of the inserted PHP files, and they are now detected as PHP_IRCBOT.AHC, PHP_CREW.ASD, and PHP_RUMMAH.HG.
As seen in the screenshot above, the PHP script leading to the malicious site loads once the compromised site is visited, thus the list of “Most Recent Visitors” shows that the last visitors accessed the malicious URL.
Trend Micro Smart Protection Network™ protects users from this attack by blocking all known related malicious websites and malware. Users are strongly advised to patch their systems with the latest version of TimThumb and to be wary in clicking malicious URLs even from known sources.