Security Expert Gregory Evans’ Blog Site Pawned With Timthumb Exploit

13 years ago

Just today, Gregory Evan’s Blog site has been defaced by Tha L ( a defacer from ‘the hackers army’). Gregory Evans is a Security Expert who appeared on TV and Radio more than any security consultants in the world. In fact he was said to be world’s no. 1 Security Expert or hacker (I really dunno about this). But here is a Youtube video about him:

Deface Link: https://gregorydevans.com/wp-content/gallery/L.htm

the hackers army

As soon as the news spread I looked on his site and right away I was able to determine that his site is vulnerable to Remote Code Execution in Timthumb. In fact the exploitable code is found here: https://gregorydevans.com/wp-content/themes/business-success/scripts/timthumb.php. The site is not yet updated with the latest timthumb script.

Thus if you add an image to it, it fetches the image. For example:

https://gregorydevans.com/wp-content/themes/business-success/scripts/timthumb.php?src=https://gregorydevans.com/wp-content/uploads/Greg_Banner_9.png

Fixing this kind of vulnerability:

1. Update the script by downloading the latest PHP script here.

2. Edit the file and make sure ALLOW_EXTERNAL is set to false. This is the code that allows image fetching from external websites. See the code below:

define ('ALLOW_EXTERNAL', TRUE);

3. Make sure that the $allowedSites array is empty. Omit flickr.com, picasa.com , img.youtube.com, upload.wikimedia.org, photobucket.com, imgur.com, imageshack.us, tinypic.com from this code:

$ALLOWED_SITES = array (
		'flickr.com',
		'picasa.com',
		'img.youtube.com',
		'upload.wikimedia.org',
		'photobucket.com',
		'imgur.com',
		'imageshack.us',
		'tinypic.com',
	);

Thus the code would just look like this:

$ALLOWED_SITES = array ();

3. Check the temp and cache folders for possible backdoors.

PS: With all due respect sir Gregory, I didn’t hack your site, if you see my IP Adress in the log, let’s just say I was just viewing the source. ~shipcode

To Sir Gregory: Now this warning wouldn’t help at all because I didn’t try to hack your site but I was doing some forensics investigation on how your site was breached. Please update your site now as soon as possible.