A month ago we told you about a serious security whole in popular image manipulation script, TimThumb.
Used by hundreds of WordPress themes this was a particularly far-reaching exploit that opened up many sites to hackers who could gain entry and do pretty much what they wanted.
Thanks (or should that be “praise be”?) to the quick actions of Mark Maunder and the subsequent collaboration between him and TimThumb’s original author Ben Gillbanks, the hole has been patched up and the latest version of TimThumb is much more secure.
However, themes must then be updated with the new version, or patched accordingly. Otherwise hackers looking for this exploit could get in to your site – and guess what? It’s happening.
This week a WPMU DEV member posted on the forum;
Sigh. I forgot to check one of my sites, and wouldn’t you know it? It’s the one that got hacked. I’m running a site that has TimThumb and it’s been hacked.
Bad times :(
In fact, Mark has a very insightful post showing just what hackers are capable of when they exploit this hole. In short, they can do almost anything with your web site.
Protecting yourself
So how do you know you haven’t missed a copy of TimThumb somewhere and shown hackers a wide open door?
Well, since August 14 I’ve received over 1,400 e-mails informing me that hackers were attempting to hack into my site using the TimThumb exploit.
How?
Using the excellent WordPress Firewall plugin. This excellent piece of kit automatically detects attacks and blocks them, sending you an e-mail each time. If the guy quoted above had been using the plugin he never would have been hacked!
In once case, I’ve received over 1,000 of these e-mails on the same day! It was only after I blocked the IP address of the attacker (included in the e-mail) that the attacks ceased.
What are you waiting for? Protect yourself now!
Got any other tips for securing WordPress? Let us know in the comments or contact us!
Update: Via WordPress Tavern I’ve learned that a new plugin allows you to scan your WordPress site for the TimThumb vulnerability.
Looks good, except that it is not tested for latest version of WP and hasn’t been updated in 300 days. That usually indicates to me that I shouldn’t use the plugin.
Yep, usually I’d agree but I’ve been using this on a 3.2.1 Multisite network for some time and it works great!
Hello,
i just saw that all my websites were hiten most probably from that thing. what can i do?just came back from holidays and “voila” what a surprise!!
Jesus Christ!Someone if they no how to help!
Nek
Nek – Go through and update your timthumb script or delete it if it’s on a site that doesn’t need it. Your host will probably help you. Get in touch with them and tell them it’s the a timthumb security exploit.
i just told them and they came back to me that is your problem since its a software. How can i update that bloody file?to update it with what?thanks for your help Sarah
If you’re after an easy way to upgrade all copies of timthumb on your site (and make sure you don’t get caught with your pants down), I’ve written a plugin that does it here:
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
I havent tested it with MU specifically, but I’m almost positive it will work without issue (if it doesnt, leave me a response, and I’ll get to fixing it).
If you’ve already been hit though, you’re going to need to either clean up your site, or hire someone to do so – upgrading your timthumb scripts won’t save you. Not a fun process.
I get this error when trying to install the plugin: The plugin does not have a valid header.
Nate, you should check that all the plugin files have been uploaded to your site correctly. It sounds like something is missing.
I got it. It works fine. Site was hacked and funny things are going on. Any idea the easiest way to block an IP address where the hack came from? I’m pretty certain a location in the Russian Federation is responsible for our hack. Thx!
It depends on the level of access you have and the operating system in use. For most *nix varieties you can block an IP in a shell with:
/sbin/route add -host 1.2.3.4 reject
If you don’t have shell access you can add the following near the top of the .htaccess file:
order allow,deny
allow from all
deny from 1.2.3.4
My website was hacked last week. I have a programmer looking at the site on Tues to fix the timthumb file.
Anyone know how I can fix it myself?
My hosting company sent me this link:
http://timthumb.googlecode.com/svn/trunk/timthumb.php and said timthumb files should be upgraded to “2.0″
Programmer language is “chinese” to me.
Peter.
Search your site for “timthumb.php” and replace it with the current version from:
http://timthumb.googlecode.com/svn/trunk/timthumb.php
You can use this command in a shell to find the files:
find ./ -name “*timthumb*”
Note there is now a plugin out which will scan your wp-content directory for the vulnerability: http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
As if that wasn’t enough one of our awesome members has written a batch file for securing TimThumb on large sites :)
http://premium.wpmudev.org/forums/topic/timthumb-script?
Installed the plug-in. Found no vulnerabilities. Thank you very much!
Thanks for this!