timthumb attack issues

craigedmonds · **Posted:** Fri Feb 17, 2012 3:40 am

Hi,

My server is constantly under attack from these types of queries across multiple sites.

Code:

/wp-content/themes/royalle/tools/timthumb.php?src=/g0../0d1

I have full version of ASL installed.

I would have thought this type of traversal attack would have been stoped.

If not, how do I add a rule to stop it?

Thanks.

mikeshinn · **Posted:** Fri Feb 17, 2012 10:09 am

This:

Quote:

/wp-content/themes/royalle/tools/timthumb.php?src=/g0../0d1

Isnt a traversal. g0.. is a valid filename and would never traverse. Are you sure thats the path?

craigedmonds · **Posted:** Fri Feb 17, 2012 10:18 am

Hi Michael,

In that case how do I block anyone who passes this variable? or .. in a query string?

Code:

/g0../0d1

No legit user would ever have the need to pass .. in a query, cos its obvious they are trying to find vulnabilities, normal users would just pass the real file name in full without ... and if users are putting filenames with .. in them, then we just tell them not to be so stupid! (after all they are on a shared server with us so have to comply)

:wink:

Whats happening is that we are getting bombarded with these types of requests and many clients have "wordpress firewall" installed which sends an email out reporting every single instance of the attack. Of course the hackers only have to send the string a few hundred times, several hundred emails get sent out, server load increases due to masses amounts of emails, until our httpd stop command comes into play after which when server load comes down to normal httpd restarts itself. So this simple attack can take the httpd service online for a minute or so. (this is happening 20-30 time a day yesterday and a few times last night)

So, for us, ALOT simpler if .. was blocked in any query string.

Kindest Regards
Craig Edmonds

mikeshinn · **Posted:** Fri Feb 17, 2012 11:26 am

Sure you can block ".." in a query, but I would expect you to get a lot of false positives. Its not uncommon at all for many web applications to legitimately use recursion, for example when users select images for an article in a CMS a lot of CMS' store their images in a subdirectory below the current context. But if you want to do this, then add a rule like this:

SecRule REQUEST_URI "\.\." \
"t:none,t:urlDecodeUni,t:lowercase,capture,id:999999,rev:1,severity:2,msg:'Custom Local Rule to block all double periods in URL',logdata:'%{TX.0}'"

Blocking all ".." in a URL is going to create false positives, so I wouldn't recommend it. We already have recursion rules (and g0../f0 isnt a recursion).

So maybe we can block this for you using a better method that wont lead to false positives. Can you post the logs for all of these probes? A better pattern may present itself which would make for a better rule, and not lead to false positives.

Also, how quickly do these occur?

craigedmonds · **Posted:** Fri Feb 17, 2012 11:53 am

Hi Michael,

I am getting this from the apache status log.

/wp-content/themes/wootube/timthumb.php?src=/g0../0d1.gif
/wp-content/themes/thestation/tools/timthumb.php?src=/g0../
/wp-content/themes/DeepFocus/thumb.php?src=/g0../0d1.gif
/wp-content/themes/delicate/tools/timthumb.php?src=/g0../0d
/wp-content/themes/crisp/thumb.php?src=/g0../0d1.gif

Its happening several times a day with various users.

We need to block this type of request.

Kindest Regards
Craig Edmonds

mikeshinn · **Posted:** Fri Feb 17, 2012 2:51 pm

OK, new rules added for this specific scenario. Just update to the latest rules and let us know.

breun · **Posted:** Fri Feb 17, 2012 3:53 pm

Do you consider 'several times a day' an attack?

craigedmonds · **Posted:** Fri Feb 17, 2012 4:52 pm

Hi Michael,

Rule 381202 rocks mate.

Within an hour I already have 122 events in my log which were blocked.

mikeshinn · **Posted:** Fri Feb 17, 2012 5:40 pm

Glad to hear it. If you ever run into something you think should be blocked, just send us the logs and we'll get out an update.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1876

Do we know that the same (odd) string is not normal behaviour when a user uses a WP extension that uses timthumb? Basically what I'm asking is, is "timthumb.php?src=/g0../0d1.gif" the signature for someone looking for an exploitable version, and such an odd string would not be seen normally?

mikeshinn · **Posted:** Fri Feb 17, 2012 7:15 pm

I tested timthumb with the rule, it doesnt trigger with normal activity.

craigedmonds · **Posted:** Tue Feb 21, 2012 3:50 am

Hi Mike,

My server had to restart 10 times last night due to these attacks (this is just a tiny snapshot fo the apache log, there is literally hundred/thousands of lines like this)

Code:

0-0   29601   17/19/665   K    5.96   0   4815   0.0   0.00   7.06    77.222.40.147   thedomainname.co.uk   GET /wp-content/themes/cinch/tools/timthumb.php?src=/g0../0d1.g
1-0   29031   22/62/674   K    14.99   0   9161   0.0   0.25   5.68    77.222.40.147   thedomainname.co.uk   GET /wp-content/themes/typebased/tools/timthumb.php?src=/g0../0
3-0   29605   1/16/712   W    2.77   2   0   0.0   0.02   3.73    77.222.40.147   thedomainname.co.uk   GET /wp-content/themes/irresistible/tools/timthumb.php?src=/g0.
4-0   29606   12/14/659   W    4.44   0   0   0.0   0.00   4.64    77.222.40.147   thedomainname.co.uk   GET /wp-content/themes/eNews/tools/timthumb.php?src=/g0../0d1.g
5-0   29513   1/9/580   W    1.60   54   0   0.0   0.03   3.82    77.222.40.147   thedomainname.co.uk   GET /wp-content/themes/deep-blue/scripts/timthumb.php?src=/g0..
6-0   29073   8/46/522   W    8.46   38   0   0.0   0.18   4.26    77.222.40.147   thedomainname.co.uk   GET /wp-content/themes/mymag/timthumb.php?src=/g0../0d1.gif HTT
7-0   29515   4/18/586   W    4.53   2   0   0.0   0.00   3.13    77.222.40.147   thedomainname.co.uk   GET /wp-content/themes/bueno/tools/timthumb.php?src=/g0../0d1.g
8-0   29539   1/13/555   W    3.14   23   0   0.0   0.01   3.22    77.222.40.147   thedomainname.co.uk   GET /wp-content/themes/modularity/thumb.php?src=/g0../0d1.gif H

What happens is that ASL detects the attack and displays a 403 error which is great but is there any way that it can also put a ban on an ip if it tries it more then X times?

Like I said in opening of thread, no legit user needs to be passing this type of query so should be blacklisted right away (IMHO).

Is there any way then that the users ip is blacklisted, so they dont even reach the site anymore?

Short of telling people that they are not allowed to use timthumb scripts, I dont know what else to do.

Kindest Regards
Craig Edmonds

Highland · **Joined:** Mon Apr 10, 2006 12:55 pm **Posts:** 657

Is OSSEC not banning them for 10 mins?

craigedmonds · **Posted:** Tue Feb 21, 2012 9:15 am

Highland wrote:

Is OSSEC not banning them for 10 mins?

Does not look like it.

Since my last post, my server has encountered high loads 8 times.

Putting ASL on the server in an attempt to thwart this, nothing has changed to be honest. ASL seems really nice to log things after the fact but I have to be able to have attempts blocked.

Kindest Regards
Craig Edmonds

Highland · **Joined:** Mon Apr 10, 2006 12:55 pm **Posts:** 657

Something you could do immediately would be to move your DNS to Cloudflare (it's free). They have a sort of "community rating" for IPs so if an IP does something bad to a site in their network they will issue a challenge (like a Captcha) to let them continue. Since it sits in front of your web server it doesn't hurt ASL, it's just an additional security layer.

timthumb attack issues

Who is online