I have read ShoutMeLoud post on WordPress sites using Timthumb.php is Prone to Hacking couple of days back, and after 2-3 days
back I encountered a very strange problem on Chrome browser. When ever I opened my WordPress blog on Chrome browser, it shows following message:
“www.abc.com contains content from counter-wordpress.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.”
I also check my site at different browsers (Mozilla, IE & Opera) but this weird message was appearing only on Chrome browser. I was certain that my site is hacked and like any other guy, I searched about this issue on Google and found tons of useful information which helped me to recover my Hacked WordPress blog.
Since timthumb.php hack is going to last for some time as many people haven’t updated their themes, plugin or unknowingly some plugin might be using this script. So here I’m going to note down steps which I have taken and other steps which you can take to recover your hacked site.
Most of the plugins and themes which were using bugged timthumb.php script have updated and you can easily find updates by going to your dashboard and click on updates. If it’s a premium theme which you are using, you should check with your theme provider and see if they rolled out an update. For example, templatic and Thesis theme are free from timthumb hack but many other premium WordPress theme club were using old timthumb and now they have rolled out an update to fix the timthumb hack issue.
Scan your site for hacked content:
Once these hackers get access to your WordPress, they will be adding malicious code at different places and deep down. So finding all the malicious code won’t be that easy. Though you can look at time stamp and see which file has been updated recently and check that file for any instance of malicious code.
I also used http://sitecheck.sucuri.net/scanner/ to check my site and it revealed that there are malicious code in my java file located at wp-includes/js/l10n.js . I accessed my hosting using FTP software and replaced this file with the original file from the latest version of wordpress 3.2.1 zip folder.
Though for better online security we always suggest to keep changing your password, but as soon as you fix your site, you should change all your passwords like FTP, wp-admin and cPanel. Make sure there is no hidden admin user or no extra FTP account is added.
This is one of the easy method, you can click on updates in your Wp dashboard and reinstall WordPress. So if Hacker has added malicious code in any of core file, it will be gone. And since you already followed above steps, your site will be clean.
Based on my research on Google for timthumb hack issue, you might find some of the infected file at these locations:
Replace these files with the original files like step 2
Step 5 : Delete the following files if you found :
- /wp-content/themes/*[your themes names]*/cache/.htaccess
- /wp-content/themes/*[your themes names]*/temp/[eab9c5e9815adc4c40a6557495eed6d3.php]
Step 6 : Open “wp-config.php” and check for empty code contains of huge empty lines. Clear it all.
Step 7 : Replace timthumb with the latest version
Step 8: Log into your Google webmasters tool and check in Diagnostics if it is showing any malware warning, if it so then after cleaning up send it for review otherwise no need as it will gone automatically (as in my case )
Here are some more WordPress security tips which you should read right away:
- 5 WordPress Security plugins to check hacked WordPress blog
- The story of a hacked WordPress blog and lessons learnt.
- 7 Essential WordPress security tips