A few weeks ago, I wrote about the fact that one of my website’s was hacked and exploited by a script apparently known as “WebShell by oRB”. At the time, I was hoping that the issue had been fixed, but I quickly learned that it hadn’t. At least once each day, the hack re-appeared on our website in different ways through different files.
After a bit more research into the matter, I found that the issue seems to be related to a vulnerability in phpThumb, a widely-used PHP script that dynamically resizes and manipulates images. The vulnerability was identified as early as 5 years ago according to some reports. Unfortunately, the developers of phpThumb have yet to do anything about it.
Sadly, most of the vulnerability reports I was able to find simply list something like “edit the code to fix the problem” as the solution. That doesn’t help much.
So, I started modifying the source of our phpThumb installation and eventually locked it down by creating an array of the fltr commands we actively use, then telling phpThumb to unset all other fltr commands sent to the script before it runs.
I then performed an extremely exhaustive search of our Web server looking for all files that included “WSO”, “eval(base64” and/or “preg_replace” and dumped that list of files into a log. I then poured over the log file and found about 15 infected files (most of them using preg_replace to somehow insert the malicious code into our site). I cleaned out those files (which was just a matter of deleting the malicious code) and checked our site with the “Fetch as Googlebot” tool in Google Webmaster Tools.
Everything appeared to be clean. I made those changes about a week ago and still have yet to see the infection return. I truly hope the changes I made will be effective against this exploit. If you are experiencing similar issues, I would recommend any of the following actions to try to close the hole:
- Stop using phpThumb and try a different script (like TimThumb) instead – In our case, we used the watermark feature built into phpThumb to heavily to try to switch to a different script. Also, after a lot of testing, I found that phpThumb offered more reliable and more flexible options when resizing and cropping images than any other script I tested.
- Clean up phpThumb similarly to the way I did – If you don’t use any of the fltr commands in phpThumb, I would recommend simply unsetting the fltr portion of the query string altogether when using phpThumb
- Stop using phpThumb altogether
Regardless of how you close the hole, you will need to do a thorough scan of your website to make sure you clean up all of the infected files. I would also recommend taking all of the actions I discussed in my previous article about this situation (such as locking down the file permissions on your server). Good luck; and, if anyone has a better solution to the phpThumb situation, please feel free to share it.