WordPress Compromise: TimThumb
TimThumb is a tool used by WordPress themes and plugins to resize images. Old versions of TimThumb have a security vulnerability that lets attackers upload malicious ("bad") files from another website. The first bad file then lets the attacker upload more malicious files to the hosting account.
You can get more information about compromises and how to deal with them in My website was hacked. What should I do?.
Signs You've Been Compromised
Besides the signs mentioned in My website was hacked. What should I do?, you can tell your site has been affected by this specific compromise if your account contains the files with the following patterns in a plugin directory:
- external_[md5 hash].php — for example: external_dc8e1cb5bf0392f054e59734fa15469b.php
- [md5 hash].php — for example: 7eebe45bde5168488ac4010f0d65cea8.php
You can find examples of possible md5 hashes in the MD5SUMS of Known Malicious Files section of this article.
You might also find the following files in your website's root directory (more info):
- x.txt
- logx.txt
Remedies
You must remove all of the compromised and bad files. Before deleting anything, we recommend making a backup of your website (more info).
Locating Bad Files
The bad files that are initially uploaded through the TimThumb vulnerability will typically be located in one of the following directories, which are located in the /theme
or /plugin
directory that contains the vulnerable TimThumb file.
- /tmp
- /cache
- /images
Examples of bad files' locations:
[webroot]/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/
Examples of bad files' names in these locations:
- ef881b33fba49bd6ad1818062d071a9c.php
- db648d44074f33a8857066b97290d247.php
- 3cf739debc9340540c923bbf3b73044b.php
- dc33a2e36d3179a06278191088c2ef35.php
- 8377cb73d30655dc2cbf906c9310da56.php
- eb117b212e2906f52c0a0c9132c6c07a.php
- a4924ec23939d2410354efbb8d4ddd06.php
- vvv3.php
- ea90e1e4d7ba30848f70b13d616c6ed4.php
- 236268f2a06e4153365b998d13934eb9.php
- 6a4fa516943e2fa09e3704486075de9f.php
- 896c4eb4ff2581f6e623db1904b80a44.php
- wp-images.php
The files x.txt
and logx.txt
will contain information about when a bad file was created using the TimThumb vulnerability and the location of the bad file within the hosting account. This information is helpful in determining what files need to be removed and where to find them. However, it is not likely that this will provide a complete list of files that need to be removed.
An example:
IP: X.X.X.X
Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Url: /wp-content/themes/[theme with vulnerable TimThumb]/cache/images/2817f389ac8b52527a0c5e4aabb464aa.php?clone
Files to Remove
After you've create a backup of your site, remove the following files:
- x.txt
- logx.txt
- external_[md5 hash].php — for example: external_dc8e1cb5bf0392f054e59734fa15469b.php
- [md5 hash].php — for example: 7eebe45bde5168488ac4010f0d65cea8.php
- Other malicious PHP files found with the md5 hash named files.
You can do this via FTP (more info) or through the file manager within the control panel for your hosting account (more info).
You should also:
- Update all of your themes and plugins to the latest version.
- Replace any instance of
TimThumb.php
with the newest version found athere.