Check Your WordPress Plugins: Social Media Widget Found to be Injecting Spam into Websites

WordPress website masters are being advised to update (or remove) the Social Media Widget plugin following the discovery that it was being misused to inject spam into websites it was installed on.

According to Sucuri Security, the malicious code that calls the URL, hxxp://i.aaur.net/i.php to inject “Pay Day Loan” spam links on the affected website was added to version 4.0 of the plugin, which was launched about 2 weeks ago.

A thread on plugin’s support forums reveals that the compromise was a result of the owner trusting the wrong developer.

The Social Media Widget plugin was removed from the WordPress Plugin repository after it was found to have been tampered with, but has since been reinstated following removal of the bad code in version 4.0.1.

However, the plugin is quite popular, and there’s no telling how many of the 900k websites it had already been installed upon were still at risk.

If you have the Social Media Widget plugin installed on your WordPress website, it is strongly advised that you:

• Update or remove the plugin immediately.


• Run your site through Sucuri’s SiteCheck scanner (free) to verify that your website is clean.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Old "Is Human" WordPress Plugin Still on Cybercriminals' Hit List

Just because something isn’t readily available anymore doesn’t necessarily mean that someone isn’t out there searching for it.

Take the “Is Human” WordPress plugin, for example.

It’s no longer available for download, no longer supported by its developers, and yet cybercriminals are still scanning websites hoping that someone still has it installed.

Why? Because versions 1.4.2 and earlier suffer from a remote command execution vulnerability. Below is a write-up from the corresponding exploit-db entry:

The vulnerability exists in /is-human/engine.php.

It is possible to take control of the eval() function via the 'type' parameter, when the 'action' is set to log-reset. From here we can run out own code.

In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands.

Execution running the linux whoami command:

http://server/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(whoami);error

We recently experienced attempts to exploit said vulnerability on our website, all of which failed because we don't use this plugin - not to mention they used the incorrect filepath. All attempts originated from the same (U.S.-based) IP address:

/blog/2013/02/01/hackers-still-scanning-for-vulnerable-timthumb-scripts/wp-content/plugins/is-human/engine.php?action=log-reset&error&eval(base64_decode(JHM9cGhwX3VuYW1lKCk7Cm
VjaG8gJzxicj4nLiRzOwoKZWNobyAnPGJyPic7CnBh
c3N0aHJ1KGlkKTsK))&type=ih_options()

The  base64_ decoded text is:

$s=php_uname();
echo '<br>'.$s;

echo '<br>';
passthru(id);

Obviously this post serves as a warning to anyone that may still have this plugin installed on their WordPress website. Cybercriminals will attempt to exploit any vulnerability – old or new – to cause mischief and mayhem.

WordPress is a popular CMS, and it’s important that anyone running it keeps the platform and any installed plugins up-to-date.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Is The PICA Photo Gallery Plugin for WordPress Leaving Your Website Vulnerable?

It seems as though our post warning users about the old TimThumb vulnerability caught a lot of attention as we noticed an uptick in the number of site scans.

Now, this could simply mean that the scripts used to automatically scan for TimThumb files have a difficult time distinguishing a URL path mentioned in a blog from an actual file. However, there was one Russian-based IP that seemed to try harder than others to find a vulnerability to exploit, and one file path in particular happened to catch my eye:

/wp-content/plugins/pica-photo-gallery/picaPhotosResize.php

As you can see, the attacker was looking for a file by the name of picaPhotoResize.php, which is associated with the PICA Photo Gallery Plugin for WordPress. (Not installed)

It turns out that the PICA Photo Gallery Plugin for WordPress suffers from not one, but two vulnerabilities that can be exploited to disclose sensitive information or upload malicious files.

These security flaws were discovered back in June of 2012, and there’s no indication that they were ever fixed - a disappointment considering this is a $50 plugin!

From Secunia Advisory SA49467:

1)  Input passed to the "imgname" parameter in wp-content/plugins/pica-photo-gallery/picadownload.php is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

2) An error due to the wp-content/plugins/pica-photo-gallery/picaPhotosResize.php script allowing the upload of files with arbitrary extensions to a folder inside the webroot can be exploited to execute arbitrary PHP code by uploading a malicious PHP script.

The above vulnerabilities were confirmed in PICA Photo Gallery version 1.0, but later versions may be affected. The latest version is 1.3 at the time of writing.

Solutions

To protect their site, PICA Photo Gallery users are advised to:

• Edit the source code for picadownload.php to ensure that input is properly verified.


• Restrict access to the wp-content/plugins/pica-photo-gallery/picaPhotosResize.php script (e.g. via .htaccess).

Or just remove the plugin altogether.

I’ve reached out to the developers of this plugin to find out if these vulnerabilities were ever addressed, and when users can expect a patch if not. I’ll update this post when I hear back. Until then, watch out for hack attempts!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

(Updated) Hackers Still Scanning for Vulnerable TimThumb Scripts

If you have a website running on WordPress, make sure you check your themes and plugins for the TimThumb script, and if you find it make sure you’re running the latest version (2.8.11 at time of this writing).

For the uninitiated, TimThumb is a PHP script used to resize images, and is integrated into hundreds of WordPress themes.

Unfortunately, a security flaw was discovered within TimThumb in 2011, leaving millions of WordPress powered websites vulnerable to attack. The vulnerability was fixed (in version 1.33, I believe); however, some websites may still be at risk if they were never updated.

Judging by scans we’ve seen on our own blog, it would appear that cybercriminals are still hunting for websites with plugins or themes using outdated versions of TimThumb:

Plugins

/wp-content/plugins/cac-featured-content/timthumb.php
/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php
/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php
/wp-content/plugins/cms-pack/timthumb.php
/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php
/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php
/wp-content/plugins/islidex/js/timthumb.php
/wp-content/plugins/kino-gallery/timthumb.php
/wp-content/plugins/lisl-last-image-slider/timthumb.php
/wp-content/plugins/really-easy-slider/inc/thumb.php
/wp-content/plugins/rent-a-car/libs/timthumb.php
/wp-content/plugins/verve-meta-boxes/tools/timthumb.php
/wp-content/plugins/vk-gallery/lib/timthumb.php
/wp-content/plugins/wp-marketplace/libs/timthumb.php

Themes

/wp-content/themes/13Floor/timthumb.php
/wp-content/themes/advanced-newspaper/timthumb.php
/wp-content/themes/Aggregate/thumb.php
/wp-content/themes/Aggregate/timthumb.php
/wp-content/themes/AmphionPro/script/timthumb.php
/wp-content/themes/aperture/thumb.php
/wp-content/themes/aperture/timthumb.php
/wp-content/themes/arras/library/timthumb.php
/wp-content/themes/arras-theme/library/timthumb.php
/wp-content/themes/Avenue/timthumb.php
/wp-content/themes/backstage/thumb.php
/wp-content/themes/backstage/timthumb.php
/wp-content/themes/Basic/timthumb.php
/wp-content/themes/biznizz/thumb.php
/wp-content/themes/biznizz/timthumb.php
/wp-content/themes/Bold/timthumb.php
/wp-content/themes/boldnews/thumb.php
/wp-content/themes/boldnews/timthumb.php
/wp-content/themes/broadcast/thumb.php
/wp-content/themes/bt/includes/timthumb.php
/wp-content/themes/bueno/thumb.php
/wp-content/themes/bueno/timthumb.php
/wp-content/themes/busybee/thumb.php
/wp-content/themes/busybee/timthumb.php
/wp-content/themes/c3/thumb.php
/wp-content/themes/cadabrapress/scripts/timthumb.php
/wp-content/themes/canvas/thumb.php
/wp-content/themes/canvas/timthumb.php
/wp-content/themes/CFWProfessional/timthumb.php
/wp-content/themes/Chameleon/timthumb.php
/wp-content/themes/city/scripts/timthumb.php
/wp-content/themes/cityguide/timthumb.php
/wp-content/themes/coda/thumb.php
/wp-content/themes/coffeebreak/thumb.php
/wp-content/themes/coffeebreak/timthumb.php
/wp-content/themes/coffeedesk/includes/timthumb.php
/wp-content/themes/comfy%20pro/thumb.php
/wp-content/themes/continuum/thumb.php
/wp-content/themes/continuum/timthumb.php
/wp-content/themes/crisp/thumb.php
/wp-content/themes/crisp/timthumb.php
/wp-content/themes/cruz/scripts/timthumb.php
/wp-content/themes/dailyedition/thumb.php
/wp-content/themes/dandelion_v2.6.1/functions/timthumb.php
/wp-content/themes/dandelion_v2.6.3/functions/timthumb.php
/wp-content/themes/dandelion_v2.6.4/functions/timthumb.php
/wp-content/themes/dcric/scripts/timthumb.php
/wp-content/themes/DeepBlue/timthumb.php
/wp-content/themes/deep-blue/timthumb.php
/wp-content/themes/DeepFocus/thumb.php
/wp-content/themes/DeepFocus/timthumb.php
/wp-content/themes/delegate/thumb.php
/wp-content/themes/delegate/timthumb.php
/wp-content/themes/delicate/thumb.php
/wp-content/themes/delicate/timthumb.php
/wp-content/themes/DelicateNews/timthumb.php
/wp-content/themes/deliciousmagazine/thumb.php
/wp-content/themes/deliciousmagazine/timthumb.php
/wp-content/themes/delight/scripts/timthumb.php
/wp-content/themes/develop/thumb.php
/wp-content/themes/diarise/thumb.php
/wp-content/themes/digitalfarm/thumb.php
/wp-content/themes/directory/timthumb.php
/wp-content/themes/dualshockers2/thumb.php
/wp-content/themes/duotive-three/includes/timthumb.php
/wp-content/themes/EarthlyTouch/timthumb.php
/wp-content/themes/eBusiness/timthumb.php
/wp-content/themes/ecobiz/timthumb.php
/wp-content/themes/editorial/thumb.php
/wp-content/themes/ElegantEstate/thumb.php
/wp-content/themes/ElegantEstate/timthumb.php
/wp-content/themes/eNews/thumb.php
/wp-content/themes/eNews/timthumb.php
/wp-content/themes/envision/thumb.php
/wp-content/themes/ephoto/thumb.php
/wp-content/themes/ePhoto/timthumb.php
/wp-content/themes/equator/timthumb.php
/wp-content/themes/eStore/timthumb.php
/wp-content/themes/Event/timthumb.php
/wp-content/themes/Feather/timthumb.php
/wp-content/themes/flashnews/thumb.php
/wp-content/themes/freshnews/thumb.php
/wp-content/themes/G6Feature/includes/thumb.php
/wp-content/themes/gallant/thumb.php
/wp-content/themes/gazette/thumb.php
/wp-content/themes/gazette/timthumb.php
/wp-content/themes/Glow/timthumb.php
/wp-content/themes/GrungeMag/timthumb.php
/wp-content/themes/headlines/thumb.php
/wp-content/themes/headlines/timthumb.php
/wp-content/themes/headlines_enhanced_v2/thumb.php
/wp-content/themes/idris/images/timthumb.php
/wp-content/themes/impacto/thumb.php
/wp-content/themes/insignio/images/timthumb.php
/wp-content/themes/InterPhase/timthumb.php
/wp-content/themes/kingsize/timthumb.php
/wp-content/themes/lifestyle/thumb.php
/wp-content/themes/LightBright/timthumb.php
/wp-content/themes/Linepress/timthumb.php
/wp-content/themes/livewire/thumb.php
/wp-content/themes/mademan/scripts/timthumb.php
/wp-content/themes/Magnificent/thumb.php
/wp-content/themes/manifesto/scripts/timthumb.php
/wp-content/themes/Max/thumb.php
/wp-content/themes/Memoir/thumb.php
/wp-content/themes/mimbo/scripts/timthumb.php
/wp-content/themes/mimbopro/scripts/timthumb.php
/wp-content/themes/minecraftapps.com/scripts/timthumb.php
/wp-content/themes/mini-lab/functions/timthumb.php
/wp-content/themes/Modest/thumb.php
/wp-content/themes/Modest/timthumb.php
/wp-content/themes/modularity/includes/timthumb.php
/wp-content/themes/modularity2/includes/timthumb.php
/wp-content/themes/multidesign/scripts/timthumb.php
/wp-content/themes/muse/scripts/timthumb.php
/wp-content/themes/myjourney/thumb.php
/wp-content/themes/myjourney_3.1/thumb.php
/wp-content/themes/MyProduct/timthumb.php
/wp-content/themes/NewsPro/timthumb.php
/wp-content/themes/Nova/timthumb.php
/wp-content/themes/Nyke/timthumb.php
/wp-content/themes/ocram_2/thumb.php
/wp-content/themes/optimize/thumb.php
/wp-content/themes/optimize/timthumb.php
/wp-content/themes/OptimizePress/timthumb.php
/wp-content/themes/overeasy/timthumb.php
/wp-content/themes/pearlie_14%20dec/scripts/timthumb.php
/wp-content/themes/PersonalPress/timthumb.php
/wp-content/themes/photoria/scripts/timthumb.php
/wp-content/themes/photo-workshop/includes/timthumb.php
/wp-content/themes/Polished/timthumb.php
/wp-content/themes/postcard/thumb.php
/wp-content/themes/premiumnews/thumb.php
/wp-content/themes/premiumnews/timthumb.php
/wp-content/themes/productum/thumb.php
/wp-content/themes/profitstheme/thumb.php
/wp-content/themes/prosto/functions/thumb.php
/wp-content/themes/PureType/timthumb.php
/wp-content/themes/purevision/scripts/timthumb.php
/wp-content/themes/Quadro/timthumb.php
/wp-content/themes/redlight/includes/timthumb.php/coffeebreak/thumb.php
/wp-content/themes/Reporter/timthumb.php
/wp-content/themes/retreat/thumb.php
/wp-content/themes/rockstar/thumb.php
/wp-content/themes/rockwell_v1.5/scripts/timthumb.php
/wp-content/themes/rt_crystalline_wp/thumb.php
/wp-content/themes/rt_panacea_wp/thumb.php
/wp-content/themes/rt_syndicate_wp/thumb.php
/wp-content/themes/sealight/thumb.php
/wp-content/themes/SimplePress/timthumb.php
/wp-content/themes/simplicity/thumb.php
/wp-content/themes/simplicity/timthumb.php
/wp-content/themes/skeptical/thumb.php
/wp-content/themes/skeptical/timthumb.php
/wp-content/themes/snapshot/thumb.php
/wp-content/themes/snapshot/timthumb.php
/wp-content/themes/spectrum/thumb.php
/wp-content/themes/spectrum/timthumb.php
/wp-content/themes/telegraph/scripts/timthumb.php
/wp-content/themes/TheCorporation/timthumb.php
/wp-content/themes/themorningafter/thumb.php
/wp-content/themes/TheProfessional/timthumb.php
/wp-content/themes/therapy/thumb.php
/wp-content/themes/TheSource/timthumb.php
/wp-content/themes/thestation/thumb.php
/wp-content/themes/thestation/timthumb.php
/wp-content/themes/TheStyle/timthumb.php
/wp-content/themes/tma/thumb.php
/wp-content/themes/Transcript/thumb.php
/wp-content/themes/Transcript/timthumb.php
/wp-content/themes/tribune/scripts/timthumb.php
/wp-content/themes/typebased/thumb.php
/wp-content/themes/typebased/timthumb.php
/wp-content/themes/u-design/scripts/timthumb.php
/wp-content/themes/vibrantcms/thumb.php
/wp-content/themes/vulcan/timthumb.php
/wp-content/themes/watercolor/includes/timthumb.php
/wp-content/themes/waves/functions/timthumb.php
/wp-content/themes/welcome_inn/timthumb.php
/wp-content/themes/WhosWho/timthumb.php
/wp-content/themes/widescreen/includes/timthumb.php
/wp-content/themes/wootube/thumb.php
/wp-content/themes/wp-clear-prem/scripts/timthumb.php
/wp-content/themes/WPCMS2/scripts/timthumb.php
/wp-content/themes/zenko/scripts/timthumb.php

Not Sure If Your Site is Vulnerable?

There are two methods you can use to check your site:

• Use the TimThumb Vulnerability Scanner plugin to check if your site is running a vulnerable version of TimThumb. This plugin will scan your entire wp-content folder, including plugins, themes and uploads.


• Manually scan your wp-content folder for any 'timthumb.php' or 'thumb.php' files.

How to Update TimThumb

Should you happen to find a vulnerable version of TimThumb on your site, here are some easy-to-follow instructions that will guide you through the update process.

As a side note, I recommend doing a little research to beef up the security on any WordPress websites you may be running. Here’s a pretty good list of 25 Essential Security Plugins + Tips.

List last updated: 2/7/2013

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Compromised WordPress Sites Sending Visitors to Black Hole Exploit Kit Sites

A reported 3,500 WordPress powered websites are exposing visitors to the Black Hole exploit kit thanks to vulnerability within the TimThumb plug-in along with stolen or easy-to-guess FTP credentials.

Jan Sirmer of Avast! Security firm posted a blog on Halloween, outlining the steps webmasters can take to check and see if their WordPress-driven site has been compromised by evil doers in hopes of redirecting visitors to websites that will attempt to install malware.

If your WordPress site has indeed been compromised, then you will see new files with names like:

./wp-content/w3tc/min/a12ed303.925433.js

or

./wp-includes/js/l10n.js

These files contain obfuscated code that ultimately will generate an iframe that redirects your website visitors to another domain that’s housing the Black Hole exploit kit.

Upon landing on the attack domain, users will find just how vulnerable their computers are, as malware will attempt to make its way onto their system by exploiting any number of the computer’s vulnerabilities (typically related to Java, IE or Adobe Reader).

Cybercrooks can purchase the Black Hole exploit kit – among others – on the black market for a good chunk of change ($1,500!) or simply grab a stripped-down, free version of it if they prefer to indulge in malicious activity without making a monetary investment in it.

WordPress site owners can protect themselves by a) making sure they have the most recent version of the TimThumb plug-in and b) use strong login credentials to prevent hackers from guessing it.

Web surfers have the best chances of surviving a Black Hole exploit kit attack by keeping their system up-to-date and running full antivirus protection software with real-time scanning to catch malware as it attempts to make its way onto your machine.

Photo Credit: thebadastronomer || Altered by Marquisa Kirkland

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest computer security threats.