About nunomorgadinho

Nuno has worked on programming for several years now, and provided solutions for desktop computers, hand-held devices and the web. Currently he is working on a startup company called WidgiLabs. Before that he worked on a contract company that developed software for the European Space Agency, and before that YDreams S.A. in Portugal. He holds a degree in Computer Science and a MSc in distributing computing. software engineer web developer software consultant http://twitter.com/morgadin software engineer web developer software consultant

Even when everything seems right..

So I was looking at a client website that seemed to be running without any problems.

The first thing I noticed was that on Google the site had the wrong description and cache. I quickly went into Google Webmasters Tools to re-index the site, a caching issue I thought! Boy was I wrong.

It turns out the site had been hacked so that the normal user couldn’t see anything wrong but Google sees a bunch of spammy keywords.

We found a php5.php in the root directory of WordPress and the index.php had been modified to contain:

if (is_file('php5.php')) @include('php5.php');

So even when everthing looks right you might be in trouble. Hopefully I will still be here to help ūüôā

The timthumb Disaster

I don’t recall anything affecting WordPress security so much as the timthumb disaster.

The timthumb.php file is a script commonly used in WordPress’s (and other software’s) themes and plugins to resize images. It’s¬†fairly¬†standard thing to include in a theme and it has seen a massive amount of use across the WordPress world.¬†Google shows over 39 million results for the script name, just to give you an idea.

In August 2011 someone first wrote¬†about a WordPress site hacked using a vulnerability in timthumb. After that we’ve seen a mass infection of WordPress sites due to timthumb. Some web hosting companies later became aware of this and started correcting the problem. It has been a huge problem that stills affects thousands of people to this day.

The exploit allows an attacker to arbitrarily upload and create files and/or folders on your account, which can then be used for a number of malicious tasks, including but not limited to defacement, browser high-jacking and infection, data harvesting and more. ¬†After a site has been exploited, it may lead to becoming labeled a “Malicious Website” by Google or other security authorities.
Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable, unless patched. To prevent being compromised, we advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files.  Note that patching the files requires more in-depth knowledge of the PHP scripting language.

You may check any of your sites to see if they are vulnerable by using this plugin:
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/