TimThumb.php found with zero-day vulnerability! Update Now.
TimThumb is PHP script for image cropping, zooming and resizing. This script is commonly included in many WordPress themes and plugins. Unfortunately, without removing or updating the timthumb.php script, your site is at risk of being hacked.
Sites have been maliciously hacked with base64_decode …long string of malicious encrypted code')) injected into .php files through the timthumb.php file. This script uses a cache directory that resides inside of wp-content and writes to that directory to grab images and re-size them.
This vulnerability was first reported by Mark Maunder, when his site was hacked through the timthumb.php file. Luckily for all of us, Mark found a solution. He did a re-write of timthumb and created a new secure thumbnailer project called WordThumb. He has now merged his work into TimThumb 2.0.
On the suggestion of Matt Mullenweg (wordpress founder) Ben Gillbanks (timthumb author) and I have been working for the last day to merge my work on WordThumb into TimThumb 2.0.
That work is now complete and TimThumb 2.0 is now available for download from the TimThumb site.
I’m going to be working with Ben going forward to continue to have TimThumb be the easiest to use, fastest, most popular and most secure thumbnail script on the Web.
MarkMaunder.com
Thanks Mark! You rock!
If you're using an outdated version of TimThumb…
You need to upgrade your theme and any plugins that use timthumb.php to the latest version (2.0). Ask your theme or plugin(s) developer for an upgrade or hop on over to Mark's site on to learn how to upgrade it yourself.
Our site uses a child theme of *Genesis by StudioPress. I checked with their support forum and found that Genesis framework uses the internal image handling from WordPress itself, which is great. However, classic themes (prior to post thumbnails – pre Genesis) used timthumb. Classic themes users should upgrade to Genesis framework and use a child theme or switch to the WP thumbnailing system.
Leave Your Feedback
Has your site been hacked recently and using an outdated version of timthumb? Do you have a theme or plugin that uses an outdated version of timthumb? Please let us know by leaving your comment below.
Securely yours,
Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan
* Denotes our Affiliate Link. If you a make a purchase through this link, we receive a commission.
Dear Regina,
Yes, my sites are on a shared server and once they got in through the Thesis Tim Thumb PHP it’s been almost impossible to get rid of them. Also my host, Just Host, has not been helpful at all at ridding my sites of hacked files.
For anyone who has suffered the same fate, check this file: wp-admin/options-privacy.php. It had been replaced with a known phishing attack.
The damage has already been done, however, as visitors to my sites during this time probably won’t be return visitors.
There’s one thing I left to say, “I’ve been Hacked!”
Peter
I hear you about JustHost support people! They just simply don’t care! I tried chatting and calling them. All they will give you is an automated email on how to protect your files , full of BS.
my site uses a Genesis theme and was hit with this yesterday (well, not it exactly, because it doesn’t use tim thumb) but zero day injection, so switching to Genesis wont prevent it
Hi Cheryl,
Sorry to hear your site got attacked. StudioPress does have their security reviewed on their themes, so I doubt that’s how they got in. Let me know if you need any help.
Have a great day,
~ Regina Smola
I have been hacked too! God, they hacked our entire server! And I just confirmed it now after reading this post that it was, in fact, through TimThumb that they got in. Their code is this, (below) in every PHP file:
Edited by WPSecurityLock: Code was copied to pastebin here:
http://pastebin.com/XPvSSfLL
And I also found their code that they use for sending e-mail whenever they do the attack:
Edited by WPSecurityLock Admin: Code was copied to pastebin here:
http://pastebin.com/RwDpuQgd
we have got to stop this! It has been such a pain!
I found that upgrading to 2.8.18 Did NOT solve the problem. I disinfected all PHP scripts on the entire site, and installed a new version of timThumb. About 1 month later, the files were once again infected. My recommendation would be to secure the ownership and write permissions on all PHP files to prevent the timthumb.php from writing to the files, or remove timthumb completely and use something else.