[wp-hackers] WordPress security question

Mika A Epstein ipstenu at ipstenu.org
Tue Jun 5 15:49:57 UTC 2012

TimThumb is not a part of core, nor is it allowed in themes hosted on the WP theme repo (as of the last time I looked).

On Jun 5, 2012, at 7:50 AM, Mickey Panayiotakis <mickey at infamia.com> wrote:

> I've seen plenty of hacks based on timthumb vulnerabilities.
> However, I don't think wordpress core uses timthumb. (I'm sure the group
> will correct me here, which I invite.)
> The user is left to fend on their own when using a free or commercial
> theme, to a lesser or greater extent depending on the theme vendor.  Some
> themes do a great job of providing updates and alerting the user to theme
> and framework udpates (and thanks to WP3 we can see that in the usual
> updates area).  The problem is that when you customize a theme, updates
> become more visible.
> One of the most disturbing bits of advice I heard recently is that if you
> use a custom theme, you shouldn't update wordpress.  I'm sure what the
> speaker meant was to work with your vendor to make sure that WP and all
> plugins and themes stay up to date.
> mickey
>> Message: 1
>> Date: Mon, 4 Jun 2012 19:50:39 -0700
>> From: Andrew Freeman <andrew.s.freeman at gmail.com>
>> Subject: Re: [wp-hackers] WordPress security question (Dan Phiffer)
>> To: wp-hackers at lists.automattic.com
>> Message-ID:
>>       <CALT+zmKFuBXUXjH2F8NYaYp0FHHdvdkvQe9xyvkec6dN5S7D1g at mail.gmail.com
>> Content-Type: text/plain; charset=ISO-8859-1
>> Howdy Dan,
>> Having cleaned up about a half-dozen sites in the past two months or so, I
>> have some suggestions for things to look for in terms of
>> backdoors/potential vulnerabilities.
>> Most hacks I've seen come from a vulnerable Timthumb hack, an old image
>> thumbnail script which allowed an attacker to upload malicious code to the
>> server, giving them full shell access (or at least as much as Apache/PHP/WP
>> has). You can read technical details about it here:
>> http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
>> You can use the Timthumb Vulnerability Scanner to quickly see if you have
>> any outdated versions of the script lying around:
>> http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/ . Even
>> an unused theme with the old version of the script is vulnerable.
>> Most hacks definitely add crazy base64_decode script to the header of
>> important files - often index.php of site root or theme root. This one
>> looks like it gets around base64_decode which makes it harder to detect. If
>> you can, ssh into the server and grep for 'lqxizr' to find if it's been
>> injected into any other files. Also, checking wp-config.php is a good idea,
>> because I've seen old backdoors left inside the file (usually separated
>> above and below the malicious script by several thousand blank lines).
>> Other hacks I've seen append every front-facing JavaScript with malicious
>> code right instead of going the PHP route. I'd recommend checking your
>> frontend scripts for anything strange, the time last updated in FTP may be
>> of some help.
>> Also, if you can, check the raw access logs for anything suspicious. One
>> time I thought my server was clear of shell-like scripts, but after another
>> hack that day the raw access logs showed that one actually just signed in
>> and used the WordPress editor to make the changes.
>> I hope this can be of assistance and best of luck,
>> Andrew Freeman
> --
> Mickey Panayiotakis
> Managing Partner
> 800.270.5170 x512
> <http://www.infamia.com>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list