New Waves of Timthumb Attacks on my WordPress Blogs

Once again my firewalls are bouncing off attacks. In the last week all my sites have been targeted many times. All attacks are looking for weaknesses in the same places – Timthumb.php plugins within some WordPress themes.

Now, I am not a techy really, or a developer / coder, so what I am about to say is total guesswork! But I suspect that as a stand alone plugin / bit of code Timthumb is rock solid – so long as it is kept up to date.

However, many WordPress themes incorporate Timthumb within them to allow more magazine-style layouts with thumbnail images used in excerpts and features (for example). However, these themes are not always kept up to date. The result is an insecure section in a WordPress site.

So, which themes may pose a risk of they are not up to date? Well, the following URLs have been hit hundreds of times in the last week on my sites:

  • /wp-content/themes/Glow/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/snapshot/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/OptimizePress/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/eNews/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/overeasy/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/freshnews/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/headlines/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/DeepFocus/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/canvas/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/comfy-3.0.9/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/crisp/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/skeptical/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/diarise/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/gazette/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/themorningafter/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/modularity/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/Nova/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/busybee/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/TheProfessional/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/SimplePress/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/TheStyle/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/delicate/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/delegate/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/inspire/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/bueno/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/sealight/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/Widescreen/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/optimize/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/dailyedition/scripts/timthumb.php?src=/g0../0d1.gif
  • wp-content/themes/TheSource/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/LightBright/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/freshnews/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/TheCorporation/scripts/timthumb.php?src=/g0../0d1.gif
  • /wp-content/themes/premiumnews/scripts/timthumb.php?src=/g0../0d1.gif

There may of course be other themes, but these are the ones I am seeing.

Fortunately I run firewall plugins on all my sites so any requests of this nature are blocked. I really do not understand why this is not a core feature in WordPress, I am sure there is a good reason!

Timthumb WordPress Vulnerability / Hack

There is a load of info on the Internet about this problem. This blog post by Mark Maunder explains what it is all about: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ and also in another blog post called Zero Day Vulnerability in many WordPress Themes. In fact, the problem reached the mainstream news sites such as The Register and PC World.

Timthumb Vulnerability Scanner

Not sure if your site is at risk? Well, there is a plugin that scans your wp-content directory for vulnerable instances of timthumb.php, and optionally upgrades them to a safe version. This was written by peterebutler.

How to Fix and Cleanup the TimThumb Hack in WordPress

If you get affected, then wpbeginner.com provides a tutorial on how to clean up your website after being hacked: http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/

Here they also confirm that there was once a vulnerability, but it is now safe – if your version is up to date.

Backup, Backup, Backup

Possibly the most important consideration for any WordPress site is that it is kept backed up. So long as you make regular backups of your home directory and MySQL database you should be OK. Ideally, backup automatically once a week for a quiet site and more often for busier sites.

If you do get hacked the problem will hopefully remain just within the single account. The easiest way to quickly clean a hacked site is to remove everything and then reinstall a new version of WordPress and upload your backed up files (wp-content etc.) and import the database. Then start with a fresh theme, or be sure that you have fixed the vulnerabilities in your current theme before replacing it.

Many Old WordPress Sites At Risk

Of course, the real problem is that many people set up sites and then get bored with them and forget about them. They do not check the sites online, monitor their Google Webmaster Tools account so do not notice that there is a problem. It is these sites that are being attacked really, as the hackers know that if they can take over the site or at least just drop their links or create redirects, they can boost their Pagerank and make more sales.

So long as the latest version of Timthumb is used you should be OK. Also taking measures to harden WordPress is always a good idea.

  2 comments for “New Waves of Timthumb Attacks on my WordPress Blogs

  1. Webologist
    February 20, 2012 at 9:56 pm

    Another wave of attacks just hit another site, few new themes added to the list.

  2. March 9, 2012 at 10:25 am

    As a person who claims “Now, I am not a techy really, or a developer / coder…” you’ve done a wonderful job of explaining the issues. I was doing a quick Google search to provide a client with some details and while I would normally reference the Zero Day Vulnerability, they needed something a little more “beginner” friendly.

    Your words, explanation and detail to the issue were dead on. As a developer/coder, sometimes being to technical is not good. It puts a huge gap in your beginner/non-technical audience and makes it hard for them to understand. So I guess, in short, thanks for your great post 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *