WebShell Hack – An Update

A few weeks ago, I wrote about the fact that one of my website’s was hacked and exploited by a script apparently known as “WebShell by oRB”. At the time, I was hoping that the issue had been fixed, but I quickly learned that it hadn’t. At least once each day, the hack re-appeared on our website in different ways through different files.

After a bit more research into the matter, I found that the issue seems to be related to a vulnerability in phpThumb, a widely-used PHP script that dynamically resizes and manipulates images. The vulnerability was identified as early as 5 years ago according to some reports. Unfortunately, the developers of phpThumb have yet to do anything about it.

Sadly, most of the vulnerability reports I was able to find simply list something like “edit the code to fix the problem” as the solution. That doesn’t help much.

So, I started modifying the source of our phpThumb installation and eventually locked it down by creating an array of the fltr[] commands we actively use, then telling phpThumb to unset all other fltr[] commands sent to the script before it runs.

I then performed an extremely exhaustive search of our Web server looking for all files that included “WSO”, “eval(base64” and/or “preg_replace” and dumped that list of files into a log. I then poured over the log file and found about 15 infected files (most of them using preg_replace to somehow insert the malicious code into our site). I cleaned out those files (which was just a matter of deleting the malicious code) and checked our site with the “Fetch as Googlebot” tool in Google Webmaster Tools.

Everything appeared to be clean. I made those changes about a week ago and still have yet to see the infection return. I truly hope the changes I made will be effective against this exploit. If you are experiencing similar issues, I would recommend any of the following actions to try to close the hole:

  • Stop using phpThumb and try a different script (like TimThumb) instead – In our case, we used the watermark feature built into phpThumb to heavily to try to switch to a different script. Also, after a lot of testing, I found that phpThumb offered more reliable and more flexible options when resizing and cropping images than any other script I tested.
  • Clean up phpThumb similarly to the way I did – If you don’t use any of the fltr[] commands in phpThumb, I would recommend simply unsetting the fltr[] portion of the query string altogether when using phpThumb
  • Stop using phpThumb altogether

Regardless of how you close the hole, you will need to do a thorough scan of your website to make sure you clean up all of the infected files. I would also recommend taking all of the actions I discussed in my previous article about this situation (such as locking down the file permissions on your server). Good luck; and, if anyone has a better solution to the phpThumb situation, please feel free to share it.

11 Responses

  • Allen

    great investigative work Detective Curtiss!

    • Thanks, Allen. I just hope the hole continues to stay closed. It’s been a real hassle.

  • Daniel

    I’ve hit upon the exact issue just now. You’ve no doubt saved me a lot f time. Thanks for sharing.

  • Curtiss,

    Thanks for your advice and instructions. They’ve been helpful as we recently had a client site with a similar issue. I did have one question.

    How do you go about cleaning up the Google spam related to the attack on your site? Is it something we can force to happen by submitting a sitemap.xml to Google in order to get them to re-index the site or is it going to simply take time and we’ll have to wait it our for those “spammy” links to drop off?

    Thanks again for your insights – Brandon

    • Brandon,
      Unfortunately, there’s not much you can do except wait for Google to recrawl your website. If you have issues with your “Site Links” (the list of links that are displayed as part of your home page’s search result), you can “block” Google from showing those for a period of time, but that’s about it.

      If the search results are really dreadful, I think you can request that your site be removed from Google, then resubmit it in a few weeks, but that’s not much more use than simply letting Google re-crawl your site naturally, unfortunately.

  • Jeremy

    Realizing that you may not want to disclose some information for security purposes. Can you give us a general idea of what files you edited in your phpthumb, and what code you used to close your security holes.

    • Jeremy – I’ve since moved onto another employer, but I’ll see if I can find a copy of the phpThumb script I modified so that I can share it.

  • […] Yesterday, Mark Maunder published a blog post making people aware of a vulnerability in the popular PHP image manipulation script TimThumb. Anyone that uses TimThumb should definitely read that article to make sure that the vulnerability gets patched. Almost a year ago, though, I posted (and I was far from the first) about a vulnerability in another extremely popular PHP image manipulation script; phpThumb. […]

  • Miramez

    Help me!

    I have been hacked with this! Now are two domains hacked. It seems my shared host (bounceweb) is vulnerable and the hackers got informações about all domains hosted there, and the hacker is defacinf one by one…

    I noticed my shared hosting, but they are lazyiest! They do nothing. It seems i’m talking to the wall…. alone!

    Curtiss,

    I need your help!

    1. I found 4 files in my FTP:
    king.html
    hashor.html
    cache.php (encripted)
    archive.php (WebShell by oRB)

    I deleted all them and I changed ALL passwords (capnel, mysql, ftp, admin wordpress)

    The domains hacked was using WordPress 3.2.1 (i updated it to 3.3.1) But i don’t know if it will fix…

    I really didn’t understand about phpThumb. What is this? I don’t use NOTHING, nor timThumb nor phpThumb. The method to crop images (thumbnails) on my websites is using WordPress Custom Image (native from WordPress).

    Where I should find for phpThumb? In which files n WordPress installation?

    Please,

    Describe which steps i have to follow to avoid another attack!

    I typed my email on this form. Please write me!!!!
    Thanks
    Miramez

  • Miramez

    Curtis, it’s me again.
    I got another question:
    Is it possible Hacker deface domains that are not using phpThumb nor timThumb?

    Because i don’t use VPS, i use Shared Hosting. Maybe, if the server is infected with any exploit, ALL domains hosted in this server might be hacked as well?

    • Miramez – It’s certainly possible that hackers found another way into your server, other than through phpThumb or TimThumb. There are a lot of different ways for them to get in, including potential malware/spyware on your computer. There are some good tips to be found in the WordPress Codex. That’s probably the best place to start.

      If you have SSH access to your site, you should try running a few grep commands looking for “phpThumb”, “base64” or “eval” within files in your account, and review all of the results to see if all of them belong there.