thumbnail jpeg keeps causing file monitor alert. possible hack? (4 posts)

  1. amfm
    Posted 4 years ago #

    I have a site with 50ish uploaded jpegs. My theme uses an image resizing script that uses the native WordPress resizing function to create thumbnails from those uploads (not tim thumb).

    I have file monitoring setup to notify me of changes in files on my site. One thumbnail jpeg in particular keeps showing up as modified. It doesn't appear different to me visually, but I am curious what could be causing it to be modified over and over.

    I recently discovered my site had been hacked and I need to establish what has been involved in the hack so I can restore to a clean backup. I am trying to determine if this jpeg would be involved. (I checked the image resizing script against what is in the original theme and it appears unchanged.) I would love to hear if there are any suggestions or legitimate explanations for the thumbnail activity I have described or if this sounds like signs of a hack.

    From what I have read online it sounds like php script injection might be possible with image files, but I don't understand how that would be done or how to check if that is what has happened. Would something like that cause a thumbnail to be modified regularly? Thank you in advance.

  2. Tara
    Volunteer Moderator
    Posted 4 years ago #

  3. amfm
    Posted 4 years ago #

    Thanks. I'm familiar with those links. I was hacked once before and had to rebuild my site from scratch thanks to faulty backups. I implemented almost all of the wordpress hardening tips plus other security site tips, installed numerous security plugins, file monitoring systems, regular scans, etc.

    Rather than tips for recovering from your average hack, I am looking for feedback on whether thumbnail modifications occur regularly for people, and any clues as to what might cause the sort of activity I have described. Would a thumbnail be changed by browsing or caching? Would jquery or lightbox or something like that cause a hashtag to change? Are there ways to check if a jpeg has been injected with code? I need to try to determine if what I described is perfectly normal or sounds out of the ordinary.

    I'm trying to find my last clean backup and not sure if thumbnail modifications are a sign of a hack or just business as usual.

  4. amfm
    Posted 4 years ago #

    So, when I originally posted I suspected I had already been hacked (due to some other issues) and wasn't sure if this was involved. I have since concluded the other issues were not a hack, so my site appears clean.

    I also re-examined the file monitor change log of the thumbnail jpeg that keeps popping up and the file hash remains unchanged, as well as the name. So the only thing that appears to be changing is the date of modification. I tried deleting the thumbnail file, then revisited the site page that uses that thumbnail, and a new file was created by the image resizing script. I hoped that might take care of it, but it is still popping up almost daily in my file monitor. No idea why.

Topic Closed

This topic has been closed to new replies.

About this Topic