Cleaning Up the TimThumb Hack

Several of my websites were hacked this week using the TimThumb exploit. The issue has been known for a couple weeks now.

Although I had updated the majority of sites and had notified former clients, I still hadn’t gotten to some of the smaller sites yet- like mygirlfriend’s food blog.

And word to the wise, your girlfriend’s food blog should always be top priority.

Hackers are using a variety of techniques to hijack WordPress sites right now, but this is how I cleaned up the ones on my server.

Make Backup of Everything

Common sense, but worth mentioning again. You never know when you might accidentally delete a directory you need or wipe part of the database. Most cPanels wills let you easily export a copy of the database. And it’s a lot easier to download a second copy or your files then rebuild them all from scratch.

Get Shell Access to Your Host

If you only have one site, this may not be necessary. But I have over twenty WordPress installs running on my server and I wanted to find all the files that were compromised and fix them quickly. Most hosts offer shell access. With BlueHost, I just had to go into my control panel and enable it.

Here’s BlueHost’s instructions for setting up shell access and for logging in via shell.

Fix TimThumb Vulnerability

You can download the latest version of TimThumb with the security fixes here:http://timthumb.googlecode.com/svn/trunk/timthumb.php (Just save the file out).

Replace any instances of TimThumb.php on your server with the new version. WooThemes used the name “thumb.php” for this file, so you should also look for that.

If you have shell access you can do a quick search to find all instances of timthumb with:

find *  -iname 'timthumb*' -ls

or

find *  -iname 'thumb.php' -ls (for WooTheme versions)

In many cases I found themes that were not being used and just deleted them directly:

rm -rf path/to/theme

Most theme companies have also already released fixes, so you could also get the latest version directly from them and replace your current theme.

Clean Up After the Hack

DISCLAIMER: I don’t consider myself to be a security expert, but these are the steps I took to clean up my site. If anyone else has additional recommendations, please drop them in the comments or post a link.

  1. I wiped the entire directory of the hacked site since I didn’t know which files has been added or compromised.
  2. I changed my database passwords and uploaded a new clean version of WordPress with a fresh wp-config.php file.

If you’re using shell this is very quick (http://codex.wordpress.org/Installing_WordPress):

wget http://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz
  1. I manually checked my backed-up “wp-content” to make sure no odd new files had been added. I specifically checked for files that other folks have reported as being exploited, like:
    /wp-content/uploads/feed-file.php
    /wp-content/uploads/feed-files.php
    /wp-content/themes/******/cache/.htaccess

    The file in my case was:

    /wp-content/data.php

    There’s an excellent post that goes into the hacking methods in more detail and suggests other files to check at:http://redleg-redleg.blogspot.com/2011/08/malware-hosted-newportalsecom.html

  2. I also grepped the backed-up “wp-content” directory for any files with base64_decode. There are legitimate reasons to have base64_decode in a file, but if you don’t know where the file came from, or what it does, find out.Here’s how you grep a directory:
    grep -r base64_decode *

    If you want to grep your entire server, try

    grep -r --exclude={wp-app.php,class-simplepie.php,class-IXR.php} base64_decode *
  3. When I was reasonably confident my backup wp-content directory was clean, I re-uploaded it.
  4. I reset my file permissions as specified by WordPress in the codex
  5. I logged back into WordPress and reset the admin passwords.
  6. I reset my permalinks to be completely sure the htaccess was overwritten.

Leave a comment