Security

How to Clean Up the TimThumb Security Vulnerability

August 2, 2011   ·   By   ·   18 Comments   ·   Posted in Security

Yesterday, Mark Maunder over at markmaunder.com managed to track down the source of a pretty clever hack on his site, where the hacker gained access through the massively popular TimThumb image thumbnail creation library. You can read his full post on the matter here:
Zero Day Vulnerability in Many WordPress Themes
He’s made an interesting post detailing the work he did to catch the hack – If you have the time, give it a read.

More importantly – this hack has the potential to affect hundreds of thousands of WordPress installs. Unfortunately, because the timthumb library is generally included in themes (both free and premium), it’s not going to be very easy to get patched. Premium theme sellers will no doubt release updates and notify their users, but free theme users are less likely to have such good luck. As such, it’s going to be a good idea to check your site out for this vulnerability, and fix it as soon as possible.

(Note – Subscribers to Locker have had their sites scanned for this vulnerability, and are being automatically notified if they’ve got a problem right now.)

How do I know if I’m vulnerable?

Nearly anyone using the timthumb library, who downloaded it before yesterday (8/1/11) is likely to be vulnerable. How do you know if you’re using timthumb? The easiest way is probably to check out your theme folders for a file called timthumb.php, using FTP, or your host’s file browser. If you’re using a host with cPanel (like Hostgator), it’s very easy – just load up the file manager, and then use the “Find” box in the upper right corner to search for timthumb.php. No results? Chances are good that you’re safe.

Make sure you check every folder in your theme – it’s likely that if your theme has a lot of included files, this file would be in a directory inside your main theme folder.

Ok, the file is there – now what?

Fortunately, thanks to the hard work of Mark in finding this and bringing it to light, Ben (the creator of TimThumb), and a few other folks, there is a more secure version of the script now available for download here:
http://timthumb.googlecode.com/svn/trunk/timthumb.php
To secure your site, save that file (File->Save Page As in most browsers) to your computer, and then upload it to your site via FTP, replacing every instance of timthumb.php with the new version you just downloaded. If that’s beyond you, or you want to be absolutely sure that you’ve closed the hole up, send me an email at peter@codegarage.com, or hit me on twitter @peterbutler, and I’ll help get you straightened out.

Good luck!

Resources

Post Tags | , , ,
18 Comments

  1. August 3, 2011

    Reply
    Amanda

    Thank you Peter…VERY helpful!! : )

    • August 8, 2011

      Reply
      Peter

      Glad to help, Amanda!

  2. August 8, 2011

    Reply
    Michael

    Thanks Peter…this works just perfectly for us without any further work required–just upload and replace. Unfortunately, we’ve got about 65 sites to do…grrrr

    • August 8, 2011

      Reply
      Peter

      Glad to hear it’s working for you Michael – and I feel your pain. This sort of update is the worst, because it’s almost impossible to get an automated tool (like the WordPress updater, plugin updaters, etc) to do it for you easily. Good luck!

  3. August 24, 2011

    Reply
    Scott Ficek

    Do we need to also patch inactive themes that we may have on our site? I have 2-5 old themes per site. Do I need to update timThumb on all those also?

    • August 27, 2011

      Reply
      Peter

      Scott – it’s probably best that you do. While it would be harder for an intruder to find the vulnerability on an inactive theme, it IS still vulnerable – the theme files are still accessible from the web.

  4. August 26, 2011

    Reply
    Scott

    Once infected by this vulnerability can you provide any insight on how to clean-up and stop further attacks?

    I have updated the timthumb version on one of my client sites, however the malware is still being reported on my site.

    After performing a scan on http://sitecheck.sucuri.net/scanner/ I was notified of two infected files which were:
    /wp-includes/js/jquery/jquery.js
    /wp-includes/js/l10n.js

    and I have also replaced these with what I believe to be clean versions.

    Some other reports that I have seen talk about a file uploaded to the /wp-content directory called upd.php however this file does not exist on my server?

    Any help you have on this problem would be most appreciated.

    • August 27, 2011

      Reply
      Peter

      Unfortunately, it’s a pretty involved process, and probably not the kind of thing I can explain in a comment. The rough overview is this:

      First, you need to find any theme/site files that were actually modified by the hack. Oftentimes this starts with your .htaccess file, but problems are also found in theme files, plugin files, and sometimes even core wordpress files.

      I’d start by reinstalling wordpress (using the installer from the backend should be fine), deleting and regenerating your .htaccess file, and then going through your theme and plugin files looking for suspicious code – Oftentimes this code shows up as very long lines of gibberish, surrounded by functions including eval(), base64_decode(), and anything starting with “gz”. It can be helpful to look at the modified and created timestamps on files to try to figure out which ones have been affected.

      Beyond that, your best bet is probably to get a professional to help. I do this sort of cleanup as part of my Locker maintenance and backup service for subscribers for free. If you’re not interested in a monthly fee, there are a number of services out there that will do it for a one time fee – and depending on my schedule (and how nicely you ask), I’ll often do it for free if you send me an email.

      Good luck!

  5. January 7, 2012

    Reply
    Lipitive

    Hey Bro

    Its only 2-3 months I got my site up and I only got one website yet.

    But still when I come to know about this vulnerability then I scanned my wordpress through the plugin and their are 19 files in my cache folder which are vulnerable. No other file, only 19 files are their where small images or re-sized images automatically gets stored.
    So should I just delete those files or is their anything else I need to do ?

    I got This error after scan (below)

    “Suspicious Files

    These files likely indicate that hackers have already compromised your system. They should be deleted. Please note: No files listed here does NOT guarantee you haven’t already been compromised, but files listed here almost certainly means you have.

    If your server has been compromised, your best bet is to hire a professional to clean your site up (Click here for more info – even if all you want is a little advice).”

    What should I do ?

    Waiting for your reply.

    Thanks

  6. May 16, 2012

    Reply
    Kailash

    it didn’t work for me :(

Submit a Comment

Tweets

What People are Saying

"I signed up for Locker because I trust that Peter knows what he's doing, and has got the important things covered in his service."
Protect your site with Locker Today