Just a quick note about something we’re seeing *lots* of over the past few days: Attacks targeting themes and plugins using vulnerable uploadify script. We’ve seen a number of them since the weekend, and they all seem to be coming from the same source, as they’re all doing the same thing: Dropping a file named “auth.php” at “/wp-content/uploads/auth.php”.
The file is malicious, and should be removed.
The file is an old favorite of hackers, especially lazy ones. It’s generally known as “FilesMan”, because of the text near the top of the file:
<?php # Web Shell by oRb $color = "#df5"; $auth_pass = 'ff6cb56b876eedf90b5bca2c0a210f91'; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251';
This is a “shell”, or “backdoor”. Hackers put these on servers to give them the access they need to do whatever they want. They’re commonly hidden around the server in an attempt to make sure the hacker can get back in after you think you’ve fixed the problem – cleaning up the mess of bas64_decode(s and eval(s you found around the server.
First, you should delete it – or at least rename it. Unfortunately, that doesnt mean you’re safe, especially if the file has been there for any amount of time. Most hackers will leave more than one backdoor as a failsafe, and if they’ve had time, they’ve almost certainly dropped another one on your server. We’ll clean up your hacked WordPress site for you – as will a number of other services out there. Whether you’re going to clean it up yourself, or have a professional help, you’ll want to get to work quickly, before the hack has the chance to spread around your server, potentially to other sites.
In this instance, it looks like the common thread is vulnerable uploadify instances. Regina Smola over at wpsecuritylock.com has been talking out in public, and to me personally the dangers of uploadify for quite some time – and we’re seeing the results here. itpixie.com has put together a great list of vulnerable themes/plugins – so you’ll want to check that out.
Yesterday, Mark Maunder over at markmaunder.com managed to track down the source of a pretty clever hack on his site, where the hacker gained access through the massively popular TimThumb image thumbnail creation library. You can read his full post on the matter here:
Zero Day Vulnerability in Many WordPress Themes
He’s made an interesting post detailing the work he did to catch the hack – If you have the time, give it a read.
More importantly – this hack has the potential to affect hundreds of thousands of WordPress installs. Unfortunately, because the timthumb library is generally included in themes (both free and premium), it’s not going to be very easy to get patched. Premium theme sellers will no doubt release updates and notify their users, but free theme users are less likely to have such good luck. As such, it’s going to be a good idea to check your site out for this vulnerability, and fix it as soon as possible.
(Note – Subscribers to Locker have had their sites scanned for this vulnerability, and are being automatically notified if they’ve got a problem right now.)
Nearly anyone using the timthumb library, who downloaded it before yesterday (8/1/11) is likely to be vulnerable. How do you know if you’re using timthumb? The easiest way is probably to check out your theme folders for a file called timthumb.php, using FTP, or your host’s file browser. If you’re using a host with cPanel (like Hostgator), it’s very easy – just load up the file manager, and then use the “Find” box in the upper right corner to search for timthumb.php. No results? Chances are good that you’re safe.
Make sure you check every folder in your theme – it’s likely that if your theme has a lot of included files, this file would be in a directory inside your main theme folder.
Fortunately, thanks to the hard work of Mark in finding this and bringing it to light, Ben (the creator of TimThumb), and a few other folks, there is a more secure version of the script now available for download here:
To secure your site, save that file (File->Save Page As in most browsers) to your computer, and then upload it to your site via FTP, replacing every instance of timthumb.php with the new version you just downloaded. If that’s beyond you, or you want to be absolutely sure that you’ve closed the hole up, send me an email at firstname.lastname@example.org, or hit me on twitter @peterbutler, and I’ll help get you straightened out.