TimThumb Exploit


TimThumb PHP WordPress Vulnerability

Timthumb WordPress ExploitAn image re-size script timthumb.php released by Google and used by many Word Press (self hosted) themes and plugins had a vulnerability allowing hackers to load malicious script files to a Word Press website.

Hackers use automated bots to trawl sites looking for timthumb.php files in certain folders e.g. wp-content/themes/ and /wp-content/plugins. Once the bot has found timthumb.php the hacker will try to attack the site.

The vulnerability was discovered in August 2011, and the file was immediately patched to prevent these attacks. Judging by the large number of bots still looking for these files, there must be many un-patched versions still used on Word Press blogs and sites.

Should WordPress Site Owners be Concerned

You've been hacked!Yes, with any vulnerability we should have concerns. The vulnerability should have been patched by theme and plugin developers using this file, however it is up to you to make sure your blog or site is safe.

Always have the latest up to date version of WordPress, themes and plugins. Check your website to see if any theme or plugin (even inactive ones) use timthumb.php, then make sure the file is up to date.

Download Timthumb Vulnerability Scanner from WordPress.org plugin repository and use it to scan your site for Tim Thumb vulnerability. The plugin will also look for updated versions of timthumb.php and advise you when these are available.

If you prefer to check manually and you if your host allows SSH access, run the following command:

find ~/public_html -name timthumb.php

(Note: Some versions of this file have been named thumb.php rather than timthumb.php so you may want to run the above command looking for thumb.php also. Just be sure to check what is in the file before removing or editing it. Source: timthumb.php is Vulnerable)

If you don’t have SSH access, download the entire site using FTP, and search the downloaded folders for this file (Time consuming).

Speak to your Hosting service. Discuss server and website security matters with your hosting company. They should always be ready to help with security matters. If they are not, change your hosting provider immediately!

How to Fix timthumb.php Vulnerabilty

There are several options.

  1. Update themes and Plugins!!!
  2. You can download the latest version of timthumb.php from Google.com/p/timthumb and replace the files found on your server with this file.
  3. Block known IP’s by adding them to your website root .htaccess file. A regularly updated list can be found at IP Blacklist (If you use shared hosting for WordPress you MUST have a .htaccess file in the root folder of your website – if you use a dedicated server there are other ways to ensure security).

What About WordPress.com Bloggers:

Relax, the WordPress.com team are on top of things. They take care of these technical concerns so all you need to do is blog!

me on google plus+Mike Otgaar

Further Reading:

Security Alert: WordPress Timthumb Hacker on the Prowl (journalxtra.com)

Advertisements

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on January 13, 2012, in Internet Security, Virus, Trojans, Security Threats, WordPress and tagged , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: