Scouring the internet today I have learned about a new CRITICAL vulnerability opened by the timthumb.php – online image resize script. This post will help you identify if you use timthumb.php and propose immediate action
Timthumb is used, literally by thousands of developers and is one of the most favourite scripts used by template developers(no matter if they are WordPress, Joomla, Magento etc templates), as it allows for image size consistency by resizing or zoom-cropping while maintaining the aspect ratio of the original image.
The vulnerability in brief
For performance reasons, Timthumb allows for local file caching of resized images (by default in the ./cache directory). Moreover, timthumb allows to download and resize images from external servers (wordpress.com , flickr.com,blogspot.com img.youtube.com etc.) . The sources for external servers are specified in an array inside the script. Yet, the script doesn’t check on the remote url in a secure way (it uses strpos) so if it’s pointed to a url such as flickr.com.scriptkiddiehacker.com/evil.php , Timthumb will download the evil.php file and store it to the cache folder ready for execution. The hacker will just need to access www.yoursite.com/cache to get a list of the cache files and conveniently run the evil script, which can possibly feed him with full control of your system. (For complete information on the vulnerability have a look at mark maunder’s post about timthumb vulnerability ).
Fix
Hopefully, if you’re not already infected, fixing is quite easy, thanks to the immediate response of Mark Maunder and Ben Gillbanks, current developer in charge of Timthumb. Just download the latest version from the trunk following this url http://timthumb.googlecode.com/svn/trunk/timthumb.php . Replace your current version of timthumb with this new version and you are good to go
Am I infected?
Well, it’s quite hard to tell if you are already infected. Many crackers plant “code-bombs” (either in .js files, or in .php files , or in the database itself) which are extremely hard to detect. For starters navigate to the /cache directory and check for any .php files there. Most probably this is evil script code (otherwise why should a .php script reside in the /cache directory?).Do NOT execute them, just open them through FTP and make sure that this is not a useful file. If it is let it be and add a future note to understand why on earth would an executable be present in an cache directory. Otherwise, just delete the file.
Not finding such a file in the cache directory doesn’t mean that you’re clean. The crackers may have deleted it so that they leave no traces. You will have to pay close attention to your website and check for weird behaviour (popups etc.) If this is so you will need to find the injected malicious code and remote it. Be sure to search in the database too. Download the complete db schema through phyMyAdmin and just search for the malicious code. Be sure to check (both .php files and db) for “base64_decode” . Many crackers try to mask their malicious code by base64 encoding it so it’s not found by a simple text search
Actually, restoring a clean version of the website would be better approach to the whole matter.
How do I know if I’m using timThumb?
You may think that you’re not using timThumb at all but don’t be so sure. Many wordpress / joomla / magento / opencart etc. plugins use timthumb.php . Moreover, they don’t install the file in the theme or root folder, so you will have to dig around. Even in this blog I was completely sure I am not using timthumb.php, yet I found out that a plugin I have activated uses it …
Searching for the file in a linux based system is easy. Just load up your terminal to the server, navigate to your httproot and paste the following command:
find -name ‘timthumb.php’
If you are using a windows server open the command line and paste the following command:
dir timthumb.php /s
Finally if you have no console access to the system download the timthumb-finder.php I provide in the end of this post. Just run the php file from your browser and have it search for timthumb.php instances in all subdirectories (I have used the wonderful file search snippet which you can find here).
Could I have avoided all this?
Of course you could have avoided all this, by properly taking care of the security of your server. A great rule to follow is to disallow execution of scripts in asset, image and image-cache directories. How can this be done? Easily, especially if you’re using apache. Just add any of the following in an .htaccess file in those directories:
<Files ^(*.jpeg|*.jpg|*.png|*.gif|*.css)> order deny,allow deny from all </Files>
Whitelist solution : disallow the serving of all files other than .jpeg , .jpg, .png, .gif and .css files -
AddType text/plain .pl .cgi .php
Blacklist solution : have all .pl , .cgi, .php files be served as text and not executed
Options -ExecCGI AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Hardcore blacklist solution : Disallow the CGI-Script compiler for this directory and have all php, pl, py, jps, asp, html, shtml, sh and cgi served by the CGI-Script compiler. This will always lead to a server error (which you can always look up in your server error logs 
)
Download now
Download Timthumb downloader (122)
[...] Theme Library VulnerabilityTimThumb.php Vulnerability Not Only Affecting Themes – Plugins tooTimthumb.php vulnerability – thousands of templates affected : WebrevisedTimThumb WordPress: How to Fix the TimThumb.php Vulnerability in Your WordPress ThemePrevious [...]
Someone please help… I’m fairly new to this and all these site are screwed up.. Please help..
First of all don’t panic. I haven’t published your full vulnerability log for your own privacy.
You should follow the following steps:
If you have a fresh backup of your websites then restore the backup (files and database) just do step 1. Otherwise follow all steps
1 – Download timthumb.php from http://timthumb.googlecode.com/svn/trunk/timthumb.php
2 – Review your log and replace all the timthumb.php files with the new version you have downloaded
3 – Check the list with the /htaccess files provided with your host. Delete all files / websites and directories which refer to subdirectories not matching websites you host.
4 – Finally you will need to check for injected code. This is no easy task, I’m afraid. For starters, search all your website files for “base64_decode” . Try to comment / delete the lines that contain “base64_decode”. Apart from that try to find suspicious behavior in your websites, you will have to track the code manually. Finally, do this check for base64_decode for all the databases you host (the easiest procedure is to download the db schema from phpmyadmin and perform text search using a text editor).
You saved my life. Those idiots were redirecting all my search engine traffic using .htaccess
I was clueless. Then I found a timthumb.php in one of my unused theme. Hoping that is the only backdoor.
Well, that’s a tough one… If you are using Open source software make sure that you have the latest version. Moreover, using firefox and “UserAgent” plug-in try to browse your website imitating a “googlebot” UserAgent. Also use the “Tamper Data” plug-in to check the received headers from your website and make sure that you are not redirected