{"id":3362,"date":"2011-11-22T16:15:22","date_gmt":"2011-11-22T23:15:22","guid":{"rendered":"http:\/\/www.ait-pro.com\/aitpro-blog\/?p=3362"},"modified":"2012-01-16T06:27:58","modified_gmt":"2012-01-16T13:27:58","slug":"timthumb-hack-timthumb-finder-timthumb-remover-timthumb-cleaner-timthumb-exploit","status":"publish","type":"post","link":"https:\/\/www.ait-pro.com\/aitpro-blog\/3362\/misc-projects\/wordpress-tips-tricks-fixes\/timthumb-hack-timthumb-finder-timthumb-remover-timthumb-cleaner-timthumb-exploit\/","title":{"rendered":"TimThumb Hack – TimThumb Finder, TimThumb Remover, TimThumb Cleaner, TimThumb Exploit, TimThumb Vulnerability"},"content":{"rendered":"

As of BPS Pro 5.1.3 and BPS Free .46.8 new security filters were added that allow all internal requests for image files and will Forbid all external RFI hacking attempts to exploit all versions of the TimThumb scripts.<\/span><\/h2>\n

Search your entire website – All Themes and all Plugins in less than 1 minute to see if you have the old exploitable version of the timthumb.php script on your website. \u00a0This is just one example use of what you can do with the BPS Pro String Finder Tool. \u00a0The String Finder Tool is designed to find any text, code, hackers code, etc. (strings) in your files throughout your entire website.<\/span><\/h2>\n

If you are not using BPS Pro and you are just looking for a TimThumb Vulnerability Scanner this WordPress plugin looks really \u00a0good >>> Timthumb Vulnerability Scanner >>> http:\/\/wordpress.org\/extend\/plugins\/timthumb-vulnerability-scanner\/.<\/strong><\/span><\/p>\n

The screenshot belows shows a search for the hackable \u201cbad\u201d TimThumb.php script using one of the strings in the exploitable timthumb.php script – “picasa.com”. \u00a0For BPS Pro users – Go to >>> “Steps to Finding the hackable timthumb.php file on your website.”<\/span><\/h2>\n

BPS Pro String Finder search below shows Search Results for the string search \u201cpicasa.com\u201d \u2013 one of the strings that indicate you have a hackable timthumb.php script on your website. \u00a0The other string search terms you could use would be flickr.com,\u00a0blogger.com,\u00a0wordpress.com,\u00a0img.youtube.com and\u00a0upload.wikimedia.org, but really just the string search \u201cpicasa.com\u201d will show you the file path to where the bad hackable Timthumb.php script is located. \u00a0You can then manually replace it or if you wanted to use the String Replacer \/ Remover Pro-Tool you could just remove the hackable code. We recommend replacing the entire timthumb.php hackable file with a new timthumb.php file. \u00a0This example is showing results of hacking attempts against the AITpro website in the HTTP Error log file and not file paths to hackable Timthumb.php files. If you had \u201cbad\u201d or hackable TimThumb.php files then you would see the path to those files in the String Finder Search Results window. \u00a0The search window has been chopped to not show the full 10,000 hacking attempts against the AITpro website logged in the HTTP Error log otherwise this image file would be very large.<\/p>\n

\"BPS<\/a><\/p>\n

 <\/p>\n

Steps to Finding the hackable timthumb.php file on your website.<\/span><\/h2>\n

1. \u00a0<\/strong><\/span>Go to Pro-Tools<\/span><\/p>\n

2.<\/strong> \u00a0<\/span>Click on the String Finder Menu Tab<\/span><\/p>\n

3. \u00a0<\/strong><\/span>Enter “picasa.com” in the\u00a0Search String: <\/strong>text window<\/span><\/p>\n

4. \u00a0<\/strong><\/span>Copy your\u00a0Website Root Path: <\/strong>\u00a0displayed to you and add \/wp-content\/<\/strong> folder path \u00a0to the end of the search path.<\/span><\/p>\n

\u00a0Example: \u00a0\/home\/content\/xx\/xxxxxx\/html\/wp-content\/<\/span><\/p>\n

5.<\/strong> \u00a0<\/span>Click the Find String button.<\/span><\/p>\n

You should see Search Results returned for your BPS Pro HTTP Error Log. \u00a0You can disregard these. \u00a0These search results are just displaying all the hacking attempts that were made on your website and that they were logged in your BPS Pro HTTP Error Log. \u00a0If you see any paths to Theme files or Plugin files then make a note of the location and replace those bad timthumb.php, thumb.php, thumbs.php or phpthumb.php files with a new timthumb.php script. \u00a0We have the latest TimThumb.php script already edited and ready to use. \u00a0Please send and email to info@ait-pro.com and we will email it to you. \u00a0Or you can download the new timthumb.php script here >>>\u00a0http:\/\/code.google.com\/p\/timthumb\/ and then click on the\u00a0Grab the code from here:<\/strong> link to download the new timthumb.php file \/ script.<\/p>\n

IMPORTANT NOTES: \u00a0<\/strong><\/p>\n

<\/strong>The new TimThumb.php script still contains the External Sites listed in the file. \u00a0Be sure to change >>> if(! defined(‘ALLOW_EXTERNAL’) ) define (‘ALLOW_EXTERNAL’, false); >>> from true to false. \u00a0You will find the Image fetching and caching settings at Code Lines 31-33.<\/p>\n

\/\/Image fetching and caching\r\n\/\/ Allow image fetching from external websites.\r\nWill check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false\r\nif(! defined('ALLOW_EXTERNAL') ) define ('ALLOW_EXTERNAL', false);\r\nif(! defined('ALLOW_ALL_EXTERNAL_SITES') ) define ('ALLOW_ALL_EXTERNAL_SITES', false);\t\/\/ true is less secure.\r\n<\/pre>\n
And at Code Lines 114-126 you will find the Allowed Sites array.<\/p>\n
\/\/ If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false,\r\nthen external images will only be fetched from these domains and their subdomains.\r\nif(! isset($ALLOWED_SITES)){\r\n\t$ALLOWED_SITES = array (\r\n\t\t\t'flickr.com',\r\n\t\t\t'picasa.com',\r\n\t\t\t'img.youtube.com',\r\n\t\t\t'upload.wikimedia.org',\r\n\t\t\t'photobucket.com',\r\n\t\t\t'imgur.com',\r\n\t\t\t'imageshack.us',\r\n\t\t\t'tinypic.com'\r\n\t);\r\n}\r\n<\/pre>\n
As you can see the new Timthumb.php script also contains the “picasa.com” string in it so after you have replaced all of your TimThumb.php files. \u00a0You could do String searches for “ALLOW_ALL_EXTERNAL_SITES” or “ALLOW_EXTERNAL” or if you want to find only the new TimThumb.php file you could search for this string \u00a0“If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false”<\/strong> which will only return search results for the new TimThumb.php file. \u00a0Or if you want to search for just the old TimThumb.php script then this search string identifies just the old TimThumb.php script file\u00a0“allow external website (override security precaution)”.<\/strong><\/p>\n
Another very important point is that the TimThumb.php file can be renamed to phpThumb.php or Thumb or Thumbs.php. \u00a0The TimThumb.php file is where all these other thumbnailer scripts are derived from so just renaming TimThumb.php to the actual name of your thumbnailer scripts and replacing them works perfectly fine without having to do anything else (if you are downloading TimThumb.php from the code.google site then be sure to edit it by changing true to false as stated above) by simply deleting the old thumbnailer scripts from your website and then uploading the new TimThumb.php script to the exact same folder location the old deleted script was in and if you need to rename the TimThumb.php file you would then just rename it to whatever your old thumbnailer script file name was.<\/p>\n
Or you could always use the String Replacer \/ Remover tool as well to just remove the dangerous part of the code, but in the case of the TimThumb.php file issue it is best to just replace the entire file. \u00a0The String Replacer \/ Remover is designed more for removing hackers code from multiple files at the same time. \u00a0A File Finder and Replacer is coming in future versions of BPS Pro – search and find files by modified date, name and other identifying characteristics.<\/p>\n","protected":false},"excerpt":{"rendered":"
As of BPS Pro 5.1.3 and BPS Free .46.8 new security filters were added that allow all internal requests for image files and will Forbid all external RFI hacking attempts to exploit all versions of the TimThumb scripts. Search your entire website – All Themes and all Plugins in less than 1 minute to see […]<\/p>\n","protected":false},"author":167,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[13],"tags":[448,444,442,445,443,446,441,447,449],"class_list":["post-3362","post","type-post","status-publish","format-standard","hentry","category-wordpress-tips-tricks-fixes","tag-timthumb-cleaner","tag-timthumb-code-finder","tag-timthumb-exploit","tag-timthumb-exploit-finder","tag-timthumb-file-finder","tag-timthumb-finder","tag-timthumb-hack-fix","tag-timthumb-remover","tag-timthumb-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/3362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/users\/167"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/comments?post=3362"}],"version-history":[{"count":0,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/3362\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/media?parent=3362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/categories?post=3362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/tags?post=3362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}