marshsu / timthumb

Automatically exported from code.google.com/p/timthumb
0 stars 0 forks source link

thump.php from woothemes hacked / exploited #361

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
i received this email this morning -- 
they state that the thumb.php was the exploit file - it must be part of the 
wootheme? I checked version and it's the same - I delete it for now - but 
wanted to pass along the info. 

--- EXPLOIT ---
/wp-content/themes/wootube/thumb.php  

---------- Forwarded message ----------
From: GoDaddy Network Abuse Department <abuse@godaddy.com>
Date: Thu, Mar 29, 2012 at 5:08 AM
Subject: ACTIVE PHISHER DETECTED AT TOP10TFLN.COM RESPONSE REQUIRED!
To: kjnllc@gmail.com

Dear Ken Nagel,

It has been brought to our attention that your domain name and hosting account 
has been implicated in a phishing scheme. This action is a violation of Go 
Daddy's Universal Terms of Service and Domain Registration Agreement.

A phishing attack is an attempt to steal Internet users personal identity data 
and/or financial or ecommerce account information. The term "phishing" arises 
from the use of increasingly sophisticated lures to "fish" for users' financial 
information and passwords. Phishing schemes use 'spoofed' e-mail messages to 
lead consumers to counterfeit websites designed to trick recipients into 
divulging financial data such as credit card numbers, account usernames, 
passwords and social security numbers.

In short, your website is being used to commit crimes against innocent people.

A screenshot of the offending content residing on your site has been attached 
to this notice. The URL displayed in the browsers address bar provides the 
location (or URL) of this content. Additionally, the following contents have 
been identified as offending content present in the account:

--- FILES ---
/data.php
/wtf.php

/wp-content/uploads/HMRC.zip

/wp-content/themes/wootube/data.php
/wp-content/themes/wootube/inc.php

/wp-content/themes/wootube/cache/.htaccess
/wp-content/themes/wootube/cache/56f7dc41734a3b2f240ef3b1f4303a51.png
/wp-content/themes/wootube/cache/external_0d6cf674f4badfccff98abbedd62a22a.php
/wp-content/themes/wootube/cache/external_1aa6a8a11e55bcf516ded694ed62e29a.php
/wp-content/themes/wootube/cache/external_3241b59aecd707c002bf078416ccea48.php
/wp-content/themes/wootube/cache/external_35b57a78ef23ee4877c175d9438c92f2.php
/wp-content/themes/wootube/cache/external_3b67f438b5d4b2b0db85d4b1d1a9fca0.php
/wp-content/themes/wootube/cache/external_506f5daa6376eab0cc1b251cbb95ed67.php
/wp-content/themes/wootube/cache/external_57194fca41040c2b1eca8fa98bf75ec5.php
/wp-content/themes/wootube/cache/external_705db0687356c7bf0e56ce1921e9e2b5.php
/wp-content/themes/wootube/cache/external_771b821c974131c67e34c83d8d2db725.php
/wp-content/themes/wootube/cache/external_9161dc4fc178272b2c8a903db03b5f6f.php
/wp-content/themes/wootube/cache/external_939eb3a34a3d191de76a00351712a316.php
/wp-content/themes/wootube/cache/external_a9fce1fdb4b5fea27d15e8bd38771df8.php
/wp-content/themes/wootube/cache/external_b4a223857c95a4ac141b217e289b0e1a.php
/wp-content/themes/wootube/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php
/wp-content/themes/wootube/cache/external_dc43a6822243bae61e6621d633c32222.php
/wp-content/themes/wootube/cache/external_dfa5fd5461e7e4b5bd65098f93d8d24c.php
/wp-content/themes/wootube/cache/external_ed59d62e1b1e2167275feed65b374079.php
/wp-content/themes/wootube/cache/external_ffe37f6533095659017bd96829adf796.php

--- DIRECTORIES ---
/wp-content/uploads/HMRC/

--- EXPLOIT ---
/wp-content/themes/wootube/thumb.php 

*** NOTE ***
This may not be a complete listing of the offending content present in your 
account. You are responsible for reviewing the account to ensure that all 
offending contents have been removed and the necessary actions have been taken 
to secure the site.
************

It is possible that a third party was able to gain access to your website, 
without your knowledge, in order to upload these files and initiate this 
abusive action. This does not change that fact that it is your responsibility 
to ensure that your website is secure from this type of exploitation.

*************IMPORTANT*********************

SUSPENSION OF SERVICES!

Due to the possibility of credit card fraud and/or identity theft, Go Daddy 
must take action. The TOP10TFLN.COM domain name and hosting account must be 
suspended. These suspensions are scheduled to take place within the next two 
hours.

An immediate response from you regarding this matter is required. If you are 
able to respond before the suspension of your services occurs you may be able 
to prevent this action.

**************************************************

In order to ultimately resolve this matter additional action is required:

1. Remove the offending content located at the URL exhibited in the attached 
screenshot.
2. Reply to this notice with a statement that you have removed this content and 
that you will take measures to secure your site in order to prevent this type 
of abuse from occurring in the future.

If you have any questions regarding this matter, Go Daddy's Network Abuse 
Department urges you to call our 24/7 Abuse Hotline at 480-624-2505.

For more information on phishing and how to prevent it please visit the 
following sites:

http://en.wikipedia.org/wiki/Phishing
http://www.antiphishing.org/

Sincerely,

Network Abuse Department
GoDaddy.com
24/7 Network Abuse Department Hotline: 480-624-2505
ARID 1029

Original issue reported on code.google.com by kjn...@gmail.com on 29 Mar 2012 at 1:16

GoogleCodeExporter commented 9 years ago
Hi - please make sure your themes are kept up to date. This was fixed last year 
- as soon as the issue was found.

http://www.woothemes.com/2011/08/timthumb-security-flaw-patch/

Original comment by BinaryMoon on 14 Apr 2012 at 7:15