As most WordPress bloggers and site owners and administrators will already be aware, the TimThumb script that is popularly used for resizing images to create thumbnails for WordPress themes and plugins has a security vulnerability that allows hackers an easy ride into websites.
The vulnerability was made public at the beginning of August and was patched almost as soon as it was announced. However, I’ve noticed a increasing number of crawls of sites I manage by scripts looking for themes and plugins that use timthumb.php. These crawls produce 404 error reports in both the plugins SEO Ultimate and Redirection because the files the bot’s hunting for do not exist on my servers. In every case, the crawler scanned the directory /wp-content/themes/ and /wp-content/plugins.
10th Nov. 2011: Please see Bootnote for the best solution.
Scanned Themes and Directories
It looks like the bots are aimlessly scanning for any theme or plugin that might contain timthumb.php (or its alias, thumb.php).
The first scans hit the following directories:
pbv_multi/scripts/timthumb.php magazinum/scripts/timthumb.php mypage/scripts/timthumb.php PersonalPress2/timthumb.php ElegantEstate/timthumb.php zenkoreviewRD/scripts/timthumb.php primely-theme/scripts/timthumb.php Bold4/timthumb.php echoes/timthumb.php arthem-mod/scripts/timthumb.php manifesto/scripts/timthumb.php omni-shop/timthumb.php versatile/timthumb.php ArtSee/timthumb.php Aggregate/timthumb.php Modest/timthumb.php Glow/timthumb.php Quadro/timthumb.php WhosWho/timthumb.php Wooden/timthumb.php StudioBlue/timthumb.php TheSource/timthumb.php MyResume/timthumb.php Polished/timthumb.php Minimal/timthumb.php TheCorporation/timthumb.php eVid/timthumb.php eNews/timthumb.php Nova/timthumb.php AskIt/timthumb.php OnTheGo/timthumb.php TheProfessional/timthumb.php eStore/timthumb.php Bold/timthumb.php DelicateNews/timthumb.php DeepFocus/timthumb.php SimplePress/timthumb.php PersonalPress/timthumb.php nool/timthumb.php TheStyle/timthumb.php
IP’s To Block
Place the following Apache directive into the .htaccess file in your server’s root directory. It tells your server to deny requests emanating from the stated IP addresses (updated 20th Oct. 2011):
order allow,deny deny from 107.20.5.217 deny from 108.60.0.1 deny from 109.74.205.87 deny from 113.192.25.251 deny from 119.235.18.7 deny from 122.201.81.10 deny from 132.216.12.109 deny from 157.100.150.150 deny from 173.231.43.98 deny from 173.236.12.155 deny from 173.236.194.65 deny from 173.236.210.19 deny from 173.236.26.2 deny from 173.236.31.34 deny from 173.236.58.146 deny from 173.247.251.145 deny from 173.247.253.234 deny from 173.247.255.106 deny from 173.255.215.156 deny from 174.120.224.230 deny from 174.121.22.98 deny from 174.37.148.250 deny from 178.18.89.103 deny from 180.92.161.2 deny from 184.107.163.186 deny from 184.154.106.34 deny from 184.154.109.10 deny from 184.154.12.138 deny from 184.154.88.234 deny from 184.170.146.10 deny from 184.170.146.12 deny from 187.45.205.144 deny from 188.138.101.216 deny from 188.138.113.14 deny from 188.165.197.177 deny from 189.1.162.125 deny from 189.59.8.23 deny from 192.217.104.152 deny from 195.19.173.244 deny from 195.190.28.97 deny from 195.198.236.62 deny from 195.34.173.153 deny from 200.85.152.29 deny from 203.170.85.123 deny from 203.71.2.73 deny from 204.152.255.10 deny from 204.152.255.23 deny from 204.152.255.5 deny from 204.232.242.215 deny from 204.93.165.124 deny from 206.174.209.32 deny from 206.188.208.194 deny from 208.116.44.250 deny from 208.43.95.131 deny from 208.65.200.160 deny from 208.82.116.113 deny from 208.92.165.10 deny from 209.217.76.244 deny from 209.90.115.252 deny from 210.143.110.58 deny from 212.100.249.178 deny from 212.124.121.206 deny from 212.227.52.169 deny from 212.90.148.43 deny from 212.97.132.142 deny from 213.203.199.227 deny from 216.157.21.223 deny from 216.172.163.58 deny from 216.227.215.130 deny from 216.228.195.2 deny from 216.67.248.51 deny from 217.146.86.201 deny from 219.94.163.214 deny from 27.50.118.53 deny from 46.105.99.176 deny from 46.163.118.14 deny from 46.182.105.98 deny from 46.4.26.81 deny from 50.18.112.172 deny from 50.23.215.156 deny from 62.193.235.191 deny from 62.210.185.4 deny from 64.118.88.213 deny from 64.151.202.1 deny from 64.50.161.65 deny from 64.50.172.176 deny from 64.57.252.67 deny from 65.98.89.106 deny from 66.103.128.12 deny from 66.90.104.180 deny from 67.192.48.157 deny from 67.205.67.105 deny from 67.205.96.182 deny from 67.210.96.112 deny from 67.212.80.5 deny from 67.214.213.94 deny from 68.179.32.90 deny from 69.163.186.200 deny from 69.167.135.119 deny from 69.174.53.88 deny from 69.20.9.79 deny from 69.25.109.177 deny from 69.50.193.168 deny from 69.64.69.113 deny from 69.73.154.97 deny from 70.33.254.92 deny from 70.86.16.74 deny from 71.8.242.4 deny from 72.232.240.70 deny from 72.32.11.21 deny from 72.51.46.77 deny from 74.208.144.19 deny from 74.209.214.7 deny from 74.63.243.194 deny from 74.63.243.194 deny from 75.146.178.52 deny from 76.100.161.249 deny from 77.221.130.44 deny from 77.232.91.201 deny from 78.111.81.242 deny from 78.129.226.96 deny from 78.136.29.89 deny from 79.170.192.52 deny from 79.200.4.226 deny from 80.86.184.50 deny from 80.90.198.194 deny from 81.169.142.131 deny from 81.169.167.190 deny from 81.196.196.141 deny from 81.30.152.53 deny from 81.30.65.78 deny from 82.165.154.71 deny from 82.206.126.166 deny from 82.25.208.111 deny from 82.79.171.134 deny from 83.103.119.239 deny from 83.246.67.55 deny from 83.255.89.137 deny from 85.17.182.195 deny from 85.214.115.197 deny from 85.214.137.104 deny from 86.111.247.16 deny from 87.237.213.212 deny from 87.98.254.234 deny from 88.151.241.51 deny from 88.151.241.51 deny from 88.151.65.162 deny from 88.198.144.210 deny from 88.208.234.133 deny from 88.212.146.235 deny from 89.145.121.100 deny from 89.145.121.101 deny from 89.149.202.94 deny from 89.161.143.111 deny from 89.174.234.147 deny from 89.234.3.28 deny from 91.121.14.107 deny from 91.121.151.69 deny from 91.121.175.169 deny from 91.121.184.160 deny from 91.212.12.60 deny from 91.217.56.93 deny from 91.217.56.93 deny from 92.243.8.135 deny from 93.114.41.80 deny from 94.136.92.101 deny from 94.198.160.91 deny from 94.229.76.221 deny from 94.229.79.69 deny from 94.23.209.161 deny from 94.23.215.208 deny from 94.23.6.59 deny from 94.236.125.213 deny from 95.131.66.39 allow from all
The following IP addresses have been removed from the above list in response to host and webmaster replies to my alerting them that their servers have been hacked.
deny from 69.175.60.114
Security Recommendations
Delete any themes and plugins that you no longer use and keep WordPress, all installed themes and all installed plugins up-to-date.
There is a plugin available to scan your WordPress wp-content directory for unpatched versions of TimThumb. Grab it from wordpress.org.
Block public access to timthumb.php (and thumb.php) with an .htaccess FilesMatch directive. Copy and paste this line into your topmost .htaccess file:
<FilesMatch "^(wp-config\.php|install\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|\.htaccess|readme\.txt|timthumb\.php|thumb\.php|error_log|error\.log)"> Deny from all </FilesMatch>
The caret, ^, tells Apache to look for requests to view files that “start with…”, the parentheses, (), tell Apache to expect a list of files in the directive, the backslash before every full-stop tells Apache to treat the full-stop as a literal character (as opposed to a representation of any character), and the pipe, |, is used to separate list items with an “OR” preposition.
The above instruction tells Apache to block any request to view wp-config.php, install.php, php.ini, readme.html,bb-config.php, .htaccess, readme.txt, timthumb.php, thumb.php, error_log and error.log.
Using the above snippet in .htaccess will prevent anyone but Apache (and anyone running as the Apache user/usergroup) from viewing any of the stated files. This means bots can’t view them, surfers can’t use them and you may only view them while logged into your server and using its own file browser or an FTP program.
Once added, you will notice that most attempts to find timthumb.php will cease after the first occurrence because of the “You do not have permission to view this file” or “Forbidden” message that Apache displays.
Bootnote
I found a better solution to blocking IP addresses and bad hosts.
.htaccess rewrite rules can be used to block many RFI, XSS and SQL Injection attacks.
Read WordPress Security Hardening Tips here.
What Next?
When possible, I contact website owners and their hosts (if the site owner fails to respond) to alert them to malicious scripts on their servers. Maybe you could do similar to help free the Net of malicious bots.
Suggestions for removing and updating TimThumb are given at WP Service Masters.
If do think you’ve been hacked then you should backup and download your wp-content directory, any files and directories you’ve created, and your database before deleting everything and re-installing WordPress. A good guide to this is found at WP Service Masters.