Aquoid Forum

[wmike1503]

I had been using Suffusion happily on one of my sites.

Yesterday my host disabled my site entirely due to a serious hacking episode - leading to hundreds of spam emails being send out and a general messing up of my site.

My provider pinned this down to a malicious script continued in part of the Suffusion theme, specifically:

'The actual compromise appears to have been happened back in January - related to the Timthumb plugin in the Suffusion theme.

More information is available here,
http://wordpress.org/extend/plugins/tim ... y-scanner/

Essentially though, that theme, or the plugin specifically lets attackers do what they want on your site - it's as if they uploaded the files themselves - as the timthumb plugin lets them pull in code from anywhere they wish.

Once this initial file has been run, they can write their own PHP code to run exactly what the wish, including spamming, redirecting, phishing. It's a very nasty hack.'

This could have been more serious if my hosting company had not been vigilant.

I would, respectfully suggest that this is looked into and put right. Until then, I will be straying well clear.

Mike

[matjas]

disable the plugin and be aware of the fact that every plugin that's give people rights is dangerous. don't suggest it's a theme problem!

[drake]

The Timthumb exploit was addressed long time ago. Suffusion was one of the firsts themes that avoid uses of Timthumb and use instead the native Wordpress resizing feature. You should update your site regurarly to avoid such kind of things.

[wmike1503]

Wow.

I can only report what my host points out about.

I had not installed Timthumb as a plugin.

But, heh ho. Must be my fault then.

And, by the way, I do install updates when available.

[drake]

Sorry, I was wrong. Suffusion don't use Timthumb BEFORE discovering of the exploit. See this.

So, or you are used an old version of theme, or you are using another plugin that came bundled with Timthumb. Note that Timthumb is in fact a image resizing utility, it is not necesary to have the plugin itself, but can be any of your plugin that manipulate in any way your images - a Recent Posts plugin that shows thumbnails for posts can be just an example.

[sayontan]

This could have been more serious if my hosting company had not been vigilant.

I would, respectfully suggest that this is looked into and put right. Until then, I will be straying well clear.

As it happens, I have been way more vigilant than your hosting company. It always helps to research a bit before generating FUD:
1. The TimThumb vulnerability was discovered in August 2011: http://markmaunder.com/2011/08/01/zero- ... ss-themes/
2. I yanked TimThumb from Suffusion in Feb 2011, almost 6 months before the event: http://aquoid.com/news/2011/02/suffusion-version-3-7-5/, and almost a year back from now. This was way before this vulnerability was public knowledge, and I didn't even know that the script was vulnerable when I removed it.
3. I even posted a separate note after the vulnerability was discovered to urge people to upgrade: http://aquoid.com/news/2011/08/recent-t ... ct-on-you/

So what is it that you wish I look into? If you have upgraded your theme in the past one year, then your host is feeding you baloney. Sorry, I don't mean to sound offensive, but I can't help it if you come in and make a statement that suggests that I have in anyway been callous about this.

[wmike1503]

Well, I'm sorry you suggest that I have been offensive. Just pointing out what happened to my site. So it's no-ones fault but mine.

Fine.

Thank you

[sayontan]

Sorry, I wasn't suggesting you have been offensive (you can reread my post), and I am not trying to shift blame.

It is just that Suffusion has been free of TimThumb since a year, and since way before the vulnerability was discovered. I have had my own sites hacked in late 2010 probably due to TimThumb, and without knowing the root cause of the hacks I figured I would get rid of the script. So I put in a lot of effort and built a native image resizer without TimThumb, and that works better than the resizer of any other theme. To be accused of leaving TimThumb in one year after I take it out, then being told "I would, respectfully suggest that this is looked into and put right. Until then, I will be straying well clear", frankly sucks.

Mind you, YOU are posting on MY forum a statement that is wrong. Since I am not guilty of any of the charges laid at my doorstep, I do feel justified in retaliating. If you had merely posed your message differently, like "I was wondering if what my host says is right", you would have gotten a very different answer. Instead you praised your host for "vigilance", and insinuated that I messed up, while the reality is that your host came to the party one year after the cake was finished. That type of an insinuation is just a low blow, particularly since whenever I have spotted an installation of Suffusion older than 3.7.5 I have immediately advised the user to upgrade the theme.

I took a look at your older posts and I noticed that your last post was on Feb 28, 2011. If you are indeed using the version of the theme you had then, it has no TimThumb (that was the release where I did away with the script). In such a case one of two things is possible:
1. Your TimThumb might be coming from another folder. Note that a theme doesn't have to be active for TimThumb to be run.
2. When you upgrade WP, hosts tend to back up the older installation to a different folder. If you have WP backups that are old, they will have old copies of the theme and that can cause issues too.

[wmike1503]

Thank you for you reply.

I wasn't suggesting any of the above. I have obviously upset your sensibilities.

My apologies, I will not be bothering you again.

Good luck with your themes.

Mike