The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How is best to block an IP attempting to access /theme/*/timthumb.php ?

Discussion in 'Security' started by lbeachmike, Feb 19, 2012.

  1. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I am seeing lots of scans of my hosted blogs lately for timthumb.php and thumb.php, obviously scanning for the Wordpress exploit.

    Since there is no legitimate reason to ever surf directly to either of these, I'd like to block IPs that attempt access.

    Is it better to use the regex functionality in CSF or to add a mod_security rule or something else? I am surprised that the Got Root delayed rules I am using do not already contain a rule to block these attempts.

    Thanks.

    Mike
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Mike,

    From discussions on WordPress, it almost appears mod_security can cause potential issues if you try to block access to the files (such as this discussion indicating whitelisting the ID for blocking that access):

    WordPress › Support » Mod_Security For WordPress

    Have you tried posting on WordPress directly to get their take on the issue? They would likely be the authority on recommendations for security exploits for their application.

    Thanks!
     
  3. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Hi Tristan -

    No - their forums have hardly proven to be the authority on much of everything, and this is server DDOS type of issue - not something they would have expertise in.

    I'm following the suggestions from all of the bloggers who have written about different ways to deal with this, and piecing together the best suggestions.

    All I am seeking to do is to block direct user requests for the file timthumb.php. We've had several recent load spikes, and reviewing the apache accesses, it is easy to see that these are due to brute force bot scans doing a ton of gets for theoretical wordpress paths and trying to read timthumb files that do not exist.

    For example, here is one such request -

    0-12 7385 4/511/7440 W 105.60 21 0 0.0 1.89 31.44 66.147.244.184 *.clientdomain.com GET /wp-content/themes/mystream/timthumb.php?src=/g0../0d1.gif

    That path does not exist - it is an arbitrary scan, and at that time there were 48 more GETs for similar arbitrary paths.

    One blog had suggested doing this at the user level .htaccess -

    # prevent viewing of a specific file
    <files timthumb.php>
    order allow,deny
    deny from all
    </files>

    I tried adding that into /themes/, but it does not seem to do anything at all, since I put in a test timthumb.php file and still had no problem accessing it the path as -

    www.clientdomain.com/wp-content/themes/timthumb.php

    I also tried the below with no success as well - (in other words, it did not seem to block direct requests of the timthumb.php or thumb.php files) -

    # prevent viewing of a specific file
    <filesmatch "^*(timthumb\.php|thumb\.php)$">
    order allow,deny
    deny from all
    </filesmatch>

    Any ideas?

    Thanks.
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Configserver's CSf firewall has several ways of catching these attempts.

    You can set it up to block IPs that get a lot of 404s, which is a rather nice feature.

    You *could* also set up mod_security and set it up to block timthumb.php. *However*, this will cause you a lot of headaches as legitimate websites on your server could also call it. You may be able to block on referrer, or on other strings they provide.

    I'm currently working on a script to identify and upgrade all copies of timthumb on a server. It fetches the latest from their repository and replaces any that are not a recent version.
     
  5. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Hi there -

    Thanks for your suggestions. Funny, because I too am working on a script that will run via cron and ensure all copies of TimThumb.php and Thumb.php are up-to-date. Actually, I'm just adapting code that a couple of other people have put out there which have been quite helpful in completing the needed updates. I'm adapting it so that it can safely be cron'd for ongoing certaintly that is all is up-to-date, particularly when users install new Wordpress installations and/or themes.

    Re: using CSF to block timthumb scanning - I do not see a clean way of doing this that would be better than doing this via .htaccess/httpd.conf directives, which would simply not serve direct requests and not at all interfere with scripts legitimately calling TimThumb.

    I already use ct_limit functionality to block for DDOS by IP - but that is a very after-the-fact way of blocking timthumb scans because I can't block on a shared server until the number of repeat IP requests hitting apache is larger than my expecation of the highest # of legit requests.

    I am using ASL delayed free rules, which are 90 days old and do not yet have the timthumb rulesets, but the real-time rules do have it - so as long as the rules are written properly, they should not interfere with script operation - however, to your point, they cannot do a perfect job.

    It would seem that the most certain solution is to use the .htaccess / httpdconf directives which I can't seem to get to do what they should be doing.

    If you'd like to separately trade notes on the script you are writing, please feel free to PM me :)

    Thanks.

    Mike
     
  6. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am having exactly the same issue.

    I am also using ASL full version. I have asked the support team at ASL and they have made some rules which shows 403 error but of course it does not block the users IP so multiple requests still come in.

    One of my servers has been hit 15 times today with multiple GETS which are causing load spikes.
     
  7. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Thanks Craig - that is not very promising, since I was about to go forward with the realtime rules based on the info that had sent me on this. But by your account, there would also need to be a method for blocking the IP. I do not run ASL full version - just CSF. All servers are being slammed hard this morning with timthumb scans - it is as if there is an all out assault going on this morning. One server was brought down, but I tightened up CSF policies.

    I still think the best way to block the issue from bothering the server is to implement directives in .htaccess or httpd.conf to deny access to a direct request for timthumb. However, I'm having trouble getting the directive to work as expected - are you able to help with this?
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    If you're getting slammed, try turning this feature on for a while. Most of the scanners should trigger enough 404s to get blocked quickly.
     
  9. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Thanks - I did not know about this one, though this could easily trigger false positives - it is less than exact means of filtering the bad guys.

    I still believe that it is best to block direct accesses to timthumb.php - that way you are blocking the actual bad guys with no risk of false positives and you are protecting the server from getting bogged by the requests.

    Is anybody able to help with the apache directives needed for this?
     
  10. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    The problem is, I think, that the websites on your server may access this script as well, as it's used via URL rather than internally. That means, if I'm right, that blocking the script will break all sites using it.

    The other option may be to check the HTTP referrer - don't know if that is set for image access. No doubt the bad guys will set that anyway, so that's eliminated, and tracking prior access to the site is both hard to track and easy to fake.

    The only way I can think of that is actually likely to work is to match the attack signature in timthumb accesses; that is, use mod_security to stop the timthumb hit when it contains mischief. The ideal approach would be to then combine that with CSF to block the IP semi-permanently.

    I have a feeling that the attack signature may be matched anyway by delayed ASL rules, does anyone know?
     
  11. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Well, then I'm confused, because there are tons of blog posts about this topic that are prescribing these actions as a solution to the problem. For example, there is this post -

    Block Timthumb Vulnerability Scan Bots From Hacking Your Site

    Is it that these posters lack some expertise, or is it that directives will only block direct browser requests?

    Can't the directives be structured to only block direct browser off-server requests and allow server-based requests?

    This is definitely not in the delayed rules, because I am running those and being attacked rather persistently.

    mrk
     
  12. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Those posters are talking about putting Rewrite rules in .htaccess - per site directives. These directives only affect the site they're on, so don't break anything unless the site in question contains code which uses timthumb.

    What I was talking about was mod_security rules, which are server-wide, an entirely different beast.

    Those posts are also a waste of time, as they talk about blocking specific IPs. The scanning IPs generally change all the time, so need to be blocked automatically.

    What might not be a waste of time is matching the specific patterns they are scanning for. Or getting a few 404/403 errors in a row on URLs containing timthumb.
     
  13. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, that is totally 100% correct. Short term its fine to stop immediate attacks but the attackers just use a different proxy.

    Yes, what is needed is a mod sec rule which detects certain attacks on tim thumb and if it exceeds X requests, just immediately bans the ip in csf firewall, so they dont have access again.

    I am a muppet when it comes to writing mod sec rules so no idea how to do this but it would be awesome to stop these attacks.

    I do have ASL installed but all it seems to do is log the requests and provide a 403 error which is okay, but of course the server load hits 100+ because of the amount of requests they are sending through. Dropping the user after 3 hits from the same ip would make it much easier.
     
  14. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I am suggesting to use the directives in the httpd.conf file, so they are of global significance. The posts are geared toward protecting a user or server with Wordpress whether or not timthumb is legitimately being used.

    I'm happy to use whatever works. My thread was soliciting help in how to do exactly that. I am simply not savvy in writing mod security rules, and I believe you had mentioned that the ASL realtime rules did not do the trick.

    I am absolutely not referring to the part of the post or other posts that are black-listing IPs from a post - that's just plain silly. I was only referencing the .htaccess directives.

    It seems that the .htaccess directives would be the most productive solution - that is, placing them into httpd.conf - because you would then simply block access entirely so that you are not serving anything to those users and I expect that would eliminate the load concerns, because currently it seems that they are served the index page. Though I think there are directives that can eliminate it serving the index page to an invalid URL, which is possibly more effective at dealing with the load issues - but then doing so globally would impact other sites negatively and you would be sacrificing on functionality.

    Do you know why the .htaccess directives mentioned earlier in my post do not work for me?
     
  15. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Craig - I don't yet have ASL, but I understand that is precisely what it should be doing. I believe you have to setup security policies and it sounds like you may not have done that.
     
  16. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Apologies, no, I haven't looked at them, I admit partly because I think it's the wrong way to do it.

    If I get the modsec rules sorted out, I'll post here.
     
  17. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    It may very well be the wrong way - but if I could get the .htaccess directives to do what they are supposed to do, it would take about 60 seconds to test.
     
  18. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page