The security researcher, who asked not to be named for fear of legal repercussions, told ZDNet that the attacker obtained "full root access" to the server and its contents.
The researcher said the level of access would allow an attacker to quietly exfiltrate any file uploaded to the sites, but said it was "impossible to tell" what the shells were for, or if they were in actively used.
The Paris-based server hosted sites -- including combinepdf.com, imagetopdf.com, jpg2pdf.com, pdftoimage.com, pdfcompressor.com, and wordtojpeg.com, among others -- that let users convert files and documents to other formats.
These are hardly the most popular sites in the world, but thousands of people use the sites each day, based on various traffic metrics and statistics sites. Key search terms like "pdf convert" and "image convert" bring up several of the affected sites in the first page of Google search results, giving them an edge over other conversion sites.
The server was vulnerable to a year-old set of bugs found in the ImageMagick library, a popular tool used to convert images. The bugs, known collectively as "ImageTragick," are extremely easy to exploit -- in one case, as simple as uploading an image file containing four lines of code to the server. The bug is so serious that Facebook paid a record bug bounty to a researcher who found that the social network was vulnerable, and Yahoo stopped using the software altogether. Countless servers and websites remain unpatched to this day.
As soon as the image is uploaded, the code runs, opening up a bind shell on the server, which listens for commands or code from an attacker's server.
According to the researcher, there were three other bind shells open on this vulnerable server.
"The impact of this incident is concerning to me," said the security researcher. "All data going in or out of the server was being tampered with for months on end without the server owner noticing it."
We tracked down and contacted the owner of the server, who did not provide his name, but he replied with an aggressive response when provided with details of his vulnerable server.
"That config file is half a year old. If you claim my server still has that problem with Image-f**king-Magick, please send me the new config file," said the server owner. "If you can't, well, you're too late."
The server owner later said he had updated his servers and rebuffed several claims about his server's security.
There's no easy way to determine if a server is vulnerable unless the server is actively exploited with a malicious image. The security researcher did not retest the server after ZDNet reached out to the server owner for fear of legal repercussions, so there is no way to verify that the sites have in fact been patched.
"The fact that he has control over sites that are so widely used for manipulating documents, even if they weren't compromised, is really worrying," the researcher said.
"This should be a lesson for all of us," the researcher said. "If you don't want something to be stolen, don't give it away, especially to sites that you don't trust."