Follow @BPSPro

TimThumb Hack – TimThumb Finder, TimThumb Remover, TimThumb Cleaner, TimThumb Exploit, TimThumb Vulnerability

Comments Off RSS Site Feed Author: AITpro Admin
Published: November 22, 2011
Updated: January 16, 2012

As of BPS Pro 5.1.3 and BPS Free .46.8 new security filters were added that allow all internal requests for image files and will Forbid all external RFI hacking attempts to exploit all versions of the TimThumb scripts.

Search your entire website – All Themes and all Plugins in less than 1 minute to see if you have the old exploitable version of the timthumb.php script on your website.  This is just one example use of what you can do with the BPS Pro String Finder Tool.  The String Finder Tool is designed to find any text, code, hackers code, etc. (strings) in your files throughout your entire website.

If you are not using BPS Pro and you are just looking for a TimThumb Vulnerability Scanner this WordPress plugin looks really  good >>> Timthumb Vulnerability Scanner >>> http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/.

The screenshot belows shows a search for the hackable “bad” TimThumb.php script using one of the strings in the exploitable timthumb.php script – “picasa.com”.  For BPS Pro users – Go to >>> “Steps to Finding the hackable timthumb.php file on your website.”

BPS Pro String Finder search below shows Search Results for the string search “picasa.com” – one of the strings that indicate you have a hackable timthumb.php script on your website.  The other string search terms you could use would be flickr.com, blogger.com, wordpress.com, img.youtube.com and upload.wikimedia.org, but really just the string search “picasa.com” will show you the file path to where the bad hackable Timthumb.php script is located.  You can then manually replace it or if you wanted to use the String Replacer / Remover Pro-Tool you could just remove the hackable code. We recommend replacing the entire timthumb.php hackable file with a new timthumb.php file.  This example is showing results of hacking attempts against the AITpro website in the HTTP Error log file and not file paths to hackable Timthumb.php files. If you had “bad” or hackable TimThumb.php files then you would see the path to those files in the String Finder Search Results window.  The search window has been chopped to not show the full 10,000 hacking attempts against the AITpro website logged in the HTTP Error log otherwise this image file would be very large.

BPS Pro - Pro-Tools - String Finder - timthumb.php Hack

 

Steps to Finding the hackable timthumb.php file on your website.

1.  Go to Pro-Tools

2.  Click on the String Finder Menu Tab

3.  Enter “picasa.com” in the Search String: text window

4.  Copy your Website Root Path:  displayed to you and add /wp-content/ folder path  to the end of the search path.

 Example:  /home/content/xx/xxxxxx/html/wp-content/

5.  Click the Find String button.

You should see Search Results returned for your BPS Pro HTTP Error Log.  You can disregard these.  These search results are just displaying all the hacking attempts that were made on your website and that they were logged in your BPS Pro HTTP Error Log.  If you see any paths to Theme files or Plugin files then make a note of the location and replace those bad timthumb.php, thumb.php, thumbs.php or phpthumb.php files with a new timthumb.php script.  We have the latest TimThumb.php script already edited and ready to use.  Please send and email to info@ait-pro.com and we will email it to you.  Or you can download the new timthumb.php script here >>> http://code.google.com/p/timthumb/ and then click on the Grab the code from here: link to download the new timthumb.php file / script.

IMPORTANT NOTES:  

The new TimThumb.php script still contains the External Sites listed in the file.  Be sure to change >>> if(! defined(‘ALLOW_EXTERNAL’) ) define (‘ALLOW_EXTERNAL’, false); >>> from true to false.  You will find the Image fetching and caching settings at Code Lines 31-33.

//Image fetching and caching
// Allow image fetching from external websites.
Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false
if(! defined('ALLOW_EXTERNAL') ) define ('ALLOW_EXTERNAL', false);
if(! defined('ALLOW_ALL_EXTERNAL_SITES') ) define ('ALLOW_ALL_EXTERNAL_SITES', false);	// true is less secure.

And at Code Lines 114-126 you will find the Allowed Sites array.

// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false,
then external images will only be fetched from these domains and their subdomains.
if(! isset($ALLOWED_SITES)){
	$ALLOWED_SITES = array (
			'flickr.com',
			'picasa.com',
			'img.youtube.com',
			'upload.wikimedia.org',
			'photobucket.com',
			'imgur.com',
			'imageshack.us',
			'tinypic.com'
	);
}

As you can see the new Timthumb.php script also contains the “picasa.com” string in it so after you have replaced all of your TimThumb.php files.  You could do String searches for “ALLOW_ALL_EXTERNAL_SITES” or “ALLOW_EXTERNAL” or if you want to find only the new TimThumb.php file you could search for this string  “If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false” which will only return search results for the new TimThumb.php file.  Or if you want to search for just the old TimThumb.php script then this search string identifies just the old TimThumb.php script file “allow external website (override security precaution)”.

Another very important point is that the TimThumb.php file can be renamed to phpThumb.php or Thumb or Thumbs.php.  The TimThumb.php file is where all these other thumbnailer scripts are derived from so just renaming TimThumb.php to the actual name of your thumbnailer scripts and replacing them works perfectly fine without having to do anything else (if you are downloading TimThumb.php from the code.google site then be sure to edit it by changing true to false as stated above) by simply deleting the old thumbnailer scripts from your website and then uploading the new TimThumb.php script to the exact same folder location the old deleted script was in and if you need to rename the TimThumb.php file you would then just rename it to whatever your old thumbnailer script file name was.

Or you could always use the String Replacer / Remover tool as well to just remove the dangerous part of the code, but in the case of the TimThumb.php file issue it is best to just replace the entire file.  The String Replacer / Remover is designed more for removing hackers code from multiple files at the same time.  A File Finder and Replacer is coming in future versions of BPS Pro – search and find files by modified date, name and other identifying characteristics.

Skip to toolbar