This morning, I woke up to dozens of e-mails from my websites notifying me about issues. Worst of all, however, was the notification from MediaTemple: we’ve disabled your hosting account because your website is serving as a relay for spam e-mails. Yuck.
Immediately, my mind went to the TimThumb.php issue that was discovered a couple of weeks ago and reported widely throughout the WordPress community, perhaps most notably by WordPress co-founder Matt Mullenweg.
Sure enough, a quick check of the files via FTP revealed that the script had been compromised and other files uploaded to the site. It took only a moment to fix, and big kudos to the MediaTemple support department for the quick response. We were back online within 20 minutes.
Obviously, I knew exactly how to fix the issue. If you are like many people operating self-hosted WordPress sites, then you may not have a clue what to do. I’ll provide some step-by-step instructions below, but this video gets the point across very quickly.
Is Your Site Affected?
As I pointed out in the video clip, not every WordPress site has this vulnerability. The TimThumb.php script is mostly used in more advanced WordPress themes that have features related to dynamically resizing images. The script itself is freely available and can be used by anyone on any website thanks to its GPL 2.0 licensing. How can you tell if your site uses it?
- Look for a file in your WordPress theme’s folder called timthumb.php. If it’s there, you need to fix it.
- All WooThemes utilize the script, although as I pointed out in the video clip they have renamed the file itself to “thumb.php.” WooThemes has created a fix for the issue by moving the thumb.php into their “framework” and allowing you to update the framework to the latest version. Be warned, however, that using this “easy fix” may also break other functions on your site, depending upon what has changed in the Woo framework since your website was built and launched.
How to Replace timthumb.php in Your WordPress Theme
The easiest, safest and fastest way to eliminate this vulnerability to your website without risking breaking other functions is to follow the instructions I outlined in the video clip:
- Download the latest version of TimThumb from its Google Project site.
- Connect to your web server via FTP. In the video clip, I used the free Filezilla client, but any FTP software will do the trick. You may need to obtain the FTP hostname, username and password from your web hosting provider if you don’t already have it handy. You can usually find it by logging into your web hosting control panel. Contact your hosting provider if you get stuck on this.
- Navigate to the affected file. Locate your WordPress installation on your website, then look inside the wp-content folder. From there, go to the themes folder, then locate the name of the folder for the theme you are currently using. It’s a good idea to go ahead and fix any unused themes you have uploaded as well. If you are using a theme from WooThemes, the file is called thumb.php.
- Delete the file. I actually tend to rename things rather than deleting them. This is a good idea if you’re not sure that you have the right file, since you can always rename it back to the correct file name if you need to put it back.
- Upload the new version. Keep in mind that the actual name of the file needs to match the name of the one you deleted. In most cases, the file will just be called timthumb.php and will be fine when you upload it. If you have a WooTheme, make sure to rename it to thumb.php.
- Test. Usually, just refreshing whatever page on your site uses the script will tell you if it’s working. For Woo Themes that use sliders on the home page, just refresh the home page. Every theme will be different, however, so click around and make sure you refresh as you do so you can be sure everything went according to plan.
I use MediaTemple as well and got the same email this morning that two of my sites had been shut down due to being compromised by TimThumb. I have not found it as easy as just updating my thumb.php files.
I have updated all the thumb.php files (I use WooThemes) on my server (active and non-active) and deleted all the extra files that had been maliciously created d.php, ru1.php, sm3.php, and wp.php. I found some malicious code in one of my wp-config.php files and deleted it. I have changed username and passwords for all my server’s databases. I keep deleting the malicious code that was generated in all of my server’s .htaccess files via the MediaTemple Account Center and the code reappears immediately after I save the changes. So even after all of this, my site is still compromised and not yet in a position where MediaTemple will bring it back online.
I’m working with both WooTheme’s and MediaTemple support and we’ve yet to get it resolved. I’ve even been going through my server to inspect the legitimacy of different instances of base64 code.
If anyone has any additional suggestions, that would be great! Anyone who hasn’t yet been affected by this and is vulnerable, by all means take the time now to update your timthumb.php and thumb.php files. I have learned the hard way for sure that I should have been better about keeping my site’s custom code backed-up and should have taken all the warnings from WooThemes and WordPress more seriously!
-Mark
Hey Mark,
Thanks for the additional info about your specific situation. We had to delete files that were in the same folder(s) as the thumb.php files as well.
On another server, however, we discovered a significant number of php scripts residing inside the ‘cache’ folder used by the timthumb script. In the WooThemes installations, this is the
yoursite.com/wp-content/themes/yourthemename/cachefolder. It may be worth peeking in there to see what’s happening. That folder can be safely emptied without concern.One thought: if you find php scripts in there (there shouldn’t ordinarily be any in that folder), rename them and download them to take a look. That may lend some insight into what they’re doing.
Also: have you tried downloading the .htaccess files to your computer via FTP? Perhaps editing them with a good text editor (such as PSPad) and then reuploading them will yield different results. Also, you can be pretty agressive about setting security restrictions on the .htaccess files themselves. (644 may be a good place to start.)
Hope this helps! Please keep us posted…
Thanks David for your thorough response!
I finally got things fixed. Via the MediaTemple Account Center I was able to rename the .htaccess files, upload blank .txt files and rename them .htaccess. I then went back in via FTP and deleted the inactive, renamed .htaccess files.
I also had to go back in and update some additional thumb.php and timthumb.php files on other sites on my server before MediaTemple would reactivate my two compromised sites.
MediaTemple support was great and I enjoyed their hold music.
Also, after I read your comment I went back to check and make sure the cache folders hadn’t been compromised. Luckily, they were clear. Thank you for the suggestion.
We’re struggling as well with the WooThemes/thumb.php issue.
I had a question regarding the cache files. I have a lot of txt files that come back once I visit the site. Are those supposed to be there? Inside the file is the line // // (without the // obviously).
Is that ok to be in there?
Hi Samuel,
I’m guessing that our site blocked the code that you were trying to show us, but it’s probably something like
php die('Execution denied!'); //jpg…. etc.Those text files are normal and nothing to worry about. You should also see .jpg files in that cache folder if the script has been doing its job. There will typically be an index.html file (size: 0 bytes) as well. The contents of this folder should change frequently. If you start seeing files in there with a .php extension then it’s time to be concerned.
Hope this helps!
I have one question can I erase my cache folder completely ?
Hi Tabi,
You can safely erase thecontents of the cache folder used by the TimThumb script, but the folder itself needs to remain intact. The script needs the folder to write files temporarily. Hope this helps!