Thread: WordPress vulnerability using thumb.php/timthumb.php

Seeing quite a few instances where WordPress sites are being exploited through thumb.php or timthumb.php scripts included in many popular themes (Headline for example). If you have WordPress please check and resolve following details outlined at:

Zero Day Vulnerability in many Wordpress Themes | mm

The Exec summary: An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven’t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you’ve been compromised.

Just to bump this topic, we have heard some very large hosts have today had a good percentage of their Wordpress sites hit by this and the problem only gets worse.

If you run Wordpress please read and follow the links in Tony's post above.

Thank you,

Due to the severity of this exploit we have gone ahead and run a script across all our shared/reseller hosting servers to find the insecure version of this Wordpress file and replace it with the secure version as well as leaving a backup renamed in the same folder. It found thousands of occurances.

Wow that's swift fire fighting work by UH. I'm surprised no-ones replied with a quick 'thank you' for your action.

I would if I was running an effected site

Cheers
I

We prefer to spend half a day implementing a bulk solution rather than trying to explain to 1000 customers who run old versions of wordpress when their site is displaying hacked pages... Overall this was a more efficient solution even if strictly speaking anyone running wordpress should really be more on top of things - We were surprised with just how many old versions of wordpress we found across our servers.

It is worth giving a stern reminder here and now that if you run a website using any sort of php/mysql script that you downloaded/installed, if you decide NOT to maintain that script by keeping it updated to the latest version on a very regular basis, then there is an extremely good chance your site will at some point be defaced or hacked. There are so many people, bots, scum out there every day scanning tens of thousands of sites for old scripts to exploit that it is only a matter of time if you choose not to spend time keeping your site maintained. You have all been warned

Google are telling people off for running out of date versions of Wordpress in their webmaster tools control panel these days. So you have to wonder if not being up to date with scripts could start having an effect on search rankings.

Originally Posted by Tim

Google are telling people off for running out of date versions of Wordpress in their webmaster tools control panel these days. So you have to wonder if not being up to date with scripts could start having an effect on search rankings.

That would actually be a very good idea in my opinion. Why trust your information to a site that doesn't do even basic updates to their software to ensure security, much less risk exposing their visitors to malicious content.

I would be in favour of this... Infact it makes you wonder if we will end up with an extreme of "safe Google searches" where they only list sites known to be secure, and if they know an old scripts is running they remove the listing entirely!

As long as you have taken recommended steps and also ensured both your wordpress install and any themes/plugins are all updated to the latest current versions available then you should be OK.

If you have done nothing, or you are running any wordpress install or theme even 1 version behind latest then you will be vulnerable to security issues. It is VERY important you regularly maintain any scripts you use and ensure you are always current - it is the only way to remain secure.