As most WordPress bloggers and site owners and administrators will already be aware, the TimThumb script that is popularly used for resizing images to create thumbnails for WordPress themes and plugins has a security vulnerability that allows hackers an easy ride into websites.
The vulnerability was made public at the beginning of August and was patched almost as soon as it was announced. However, I’ve noticed a increasing number of crawls of sites I manage by scripts looking for themes and plugins that use timthumb.php. These crawls produce 404 error reports in both the plugins SEO Ultimate and Redirection because the files the bot’s hunting for do not exist on my servers. In every case, the crawler scanned the directory /wp-content/themes/ and /wp-content/plugins.
10th Nov. 2011: Please see Bootnote for the best solution.
Scanned Themes and Directories
It looks like the bots are aimlessly scanning for any theme or plugin that might contain timthumb.php (or its alias, thumb.php).
The first scans hit the following directories:
pbv_multi/scripts/timthumb.php magazinum/scripts/timthumb.php mypage/scripts/timthumb.php PersonalPress2/timthumb.php ElegantEstate/timthumb.php zenkoreviewRD/scripts/timthumb.php primely-theme/scripts/timthumb.php Bold4/timthumb.php echoes/timthumb.php arthem-mod/scripts/timthumb.php manifesto/scripts/timthumb.php omni-shop/timthumb.php versatile/timthumb.php ArtSee/timthumb.php Aggregate/timthumb.php Modest/timthumb.php Glow/timthumb.php Quadro/timthumb.php WhosWho/timthumb.php Wooden/timthumb.php StudioBlue/timthumb.php TheSource/timthumb.php MyResume/timthumb.php Polished/timthumb.php Minimal/timthumb.php TheCorporation/timthumb.php eVid/timthumb.php eNews/timthumb.php Nova/timthumb.php AskIt/timthumb.php OnTheGo/timthumb.php TheProfessional/timthumb.php eStore/timthumb.php Bold/timthumb.php DelicateNews/timthumb.php DeepFocus/timthumb.php SimplePress/timthumb.php PersonalPress/timthumb.php nool/timthumb.php TheStyle/timthumb.php
IP’s To Block
Place the following Apache directive into the .htaccess file in your server’s root directory. It tells your server to deny requests emanating from the stated IP addresses (updated 20th Oct. 2011):
order allow,deny deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 allow from all
The following IP addresses have been removed from the above list in response to host and webmaster replies to my alerting them that their servers have been hacked.
deny from 126.96.36.199
Delete any themes and plugins that you no longer use and keep WordPress, all installed themes and all installed plugins up-to-date.
There is a plugin available to scan your WordPress wp-content directory for unpatched versions of TimThumb. Grab it from wordpress.org.
Block public access to timthumb.php (and thumb.php) with an .htaccess FilesMatch directive. Copy and paste this line into your topmost .htaccess file:
<FilesMatch "^(wp-config\.php|install\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|\.htaccess|readme\.txt|timthumb\.php|thumb\.php|error_log|error\.log)"> Deny from all </FilesMatch>
The caret, ^, tells Apache to look for requests to view files that “start with…”, the parentheses, (), tell Apache to expect a list of files in the directive, the backslash before every full-stop tells Apache to treat the full-stop as a literal character (as opposed to a representation of any character), and the pipe, |, is used to separate list items with an “OR” preposition.
The above instruction tells Apache to block any request to view wp-config.php, install.php, php.ini, readme.html,bb-config.php, .htaccess, readme.txt, timthumb.php, thumb.php, error_log and error.log.
Using the above snippet in .htaccess will prevent anyone but Apache (and anyone running as the Apache user/usergroup) from viewing any of the stated files. This means bots can’t view them, surfers can’t use them and you may only view them while logged into your server and using its own file browser or an FTP program.
Once added, you will notice that most attempts to find timthumb.php will cease after the first occurrence because of the “You do not have permission to view this file” or “Forbidden” message that Apache displays.
I found a better solution to blocking IP addresses and bad hosts.
.htaccess rewrite rules can be used to block many RFI, XSS and SQL Injection attacks.
When possible, I contact website owners and their hosts (if the site owner fails to respond) to alert them to malicious scripts on their servers. Maybe you could do similar to help free the Net of malicious bots.
Suggestions for removing and updating TimThumb are given at WP Service Masters.
If do think you’ve been hacked then you should backup and download your wp-content directory, any files and directories you’ve created, and your database before deleting everything and re-installing WordPress. A good guide to this is found at WP Service Masters.