Cyber Incident Victim: Small SEO Tools
Date:
Aug 2017
Location:
France
Summary
A server hosting dozens of online file conversion websites was compromised multiple times through exploitation of a known vulnerability in the ImageMagick library (ImageTragick), granting attackers full root access. This breach potentially exposed all user-uploaded files to unauthorized access or exfiltration, with evidence of malicious shells indicating prolonged undetected activity. The server owner dismissed security concerns and failed to provide verifiable proof of remediation after being alerted. Over 50 associated domains—including document, image, and name-generation tools—remained at risk due to unpatched systems, enabling potential data tampering or interception during file processing operations without user awareness.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2017, a security researcher discovered that a Paris-based server hosting over 50 online file conversion websites had been compromised multiple times over the preceding year through vulnerabilities in the ImageMagick library. These flaws, collectively known as "ImageTragick," allowed attackers to execute malicious code by uploading specially crafted image files containing as few as four lines of exploit code. The researcher confirmed that attackers achieved "full root access" to the server, enabling complete control over all hosted domains including combinepdf.com, imagetopdf.com, jpg2pdf.com, pdftoimage.com, pdfcompressor.com, and wordtojpeg.com. This access theoretically permitted the exfiltration or manipulation of any files uploaded by users, though definitive evidence of data theft could not be established. Three active bind shells were identified on the server, indicating persistent unauthorized access points. The affected sites, while not among the internet's most popular platforms, attracted thousands of daily users through high search rankings for terms like "pdf convert" and "image convert."
The researcher privately notified the server owner, who initially dismissed the findings by referencing an outdated configuration file that no longer reflected the server's operational state. After further engagement, the owner claimed to have patched the vulnerabilities but refused independent verification of the fixes. This lack of transparency left the security status of the sites unconfirmed. The researcher emphasized that attackers could have tampered with all incoming and outgoing data for extended periods without detection, given the root-level access and prolonged compromise. No specific evidence was presented regarding attacker motivations or whether the shells were actively exploited. The incident underscored systemic risks associated with unpatched, widely known vulnerabilities in publicly accessible file-processing services, particularly those handling user-uploaded content without adequate security monitoring or prompt remediation.