14 DAY TRIAL // Security researchers warn that the number of attacks exploiting a flaw in a popular WordPress script continues to increase and started leading to malware.
Timthumb is an image manipulation script incorporated by default in many popular WordPress themes. This means that even if it's not a part of the platform's core files, it is still found in a large number of installations.
A vulnerability has recently been identified in the script allowing attackers to upload and execute arbitrary PHP files on the server.
Since then, a patched version of timthumb which also contains other security enhancements has been released, however, most webmasters will need to update manually.
Unlike plug-ins, WordPress themes are not regularly updated and can be abandoned by their developers after a few initial bug fixes. This means that patching will largely depend on blog owners learning about this flaw and deploying the patch themselves.
The vulnerability has been exploited in the wild to inject rogue ads into WordPress websites for the past couple of weeks, however, researchers warn that attacks have now begun to increase in frequency and impact.
"At first we saw the injected domain name hxxp://superpuperdomain.com/ injected at the foot of compromised WordPress blogs. This code appears to have been delivering advertisements to end users via redirects to search engines," security researchers from Websense write.
"Last Friday, we saw a slight adaptation within the injected code. This time, browsers to compromised sites led to the domain hxxp://superpuperdomain2.com/, which seemingly was a placeholder for more nefarious malicious activity," they warn.
Meanwhile, researchers from Sucuri Security warn that attackers are also installing PHP backdoors on the infected sites so they can maintain the unauthorized access for as long as possible.
WordPress owners should immediately update the timthumb.php script in their installation by overwriting it with the patched version and should scan their directory structure for any recently created files they don't recognize. The malicious code must also be cleaned up.