Just today, Gregory Evans’ Blog site has been defaced by Tha L ( a defacer from ‘the hackers army’). Gregory Evans is a Security Expert who appeared on TV and Radio more than any security consultants in the world. In fact he was said to be world’s no. 1 Security Expert or hacker (I really dunno about this). But here is a Youtube video about him:
Deface Link: http://gregorydevans.com/wp-content/gallery/L.htm
As soon as the news spread I looked on his site and right away I was able to determine that his site is vulnerable to Remote Code Execution in Timthumb. In fact the exploitable code is found here: http://gregorydevans.com/wp-content/themes/business-success/scripts/timthumb.php. The site is not yet updated with the latest timthumb script.
Thus if you add an image to it, it fetches the image. For example:
Fixing this kind of vulnerability:
1. Update the script by downloading the latest PHP script here.
2. Edit the file and make sure ALLOW_EXTERNAL is set to false. This is the code that allows image fetching from external websites. See the code below:
1 define ('ALLOW_EXTERNAL', TRUE);
3. Make sure that the $allowedSites array is empty. Omit flickr.com, picasa.com , img.youtube.com, upload.wikimedia.org, photobucket.com, imgur.com, imageshack.us, tinypic.com from this code:
12345678910 $ALLOWED_SITES = array ('flickr.com','picasa.com','img.youtube.com','upload.wikimedia.org','photobucket.com','imgur.com','imageshack.us','tinypic.com',);
Thus the code would just look like this:
1 $ALLOWED_SITES = array ();
3. Check the temp and cache folders for possible backdoors.
PS: With all due respect sir Gregory, I didn’t hack your site, if you see my IP Adress in the log, let’s just say I was just viewing the source. ~shipcode
To Sir Gregory: Now this warning wouldn’t help at all because I didn’t try to hack your site but I was doing some forensics investigation on how your site was breached. Please update your site now as soon as possible.