WARNING! DANGER! Got A Wordpress Fancy Theme or Timthumb? Vital Hackers Alert!

42 replies
I need to start with the disclaimer:

I am not a technical person.

So, here is the article or search you can check out:

Timthumb PHP script opens hole in WordPress blogs - The H Security: News and Features

This timthumb php thingie is apparently used on some of your fancy wordpress themes.

One big user of this function is Woo themes.

You will want to check your themes and see if there is a timthumb.php file in the mix.

You can be lazy like me, and just do a search in your cpanel (if you have a butt load of wordpress installs).

Look in the upper right corner:


I then did that search again without the php:



So, headway theme has it too.

It also may be in some plugins.

Anyway, it is a security issue.

Here is a helpful looking site:

How To Fix The Security Issue in Timthumb

Anyway, I'm off to the headway forum because that file for headway is done differently and I may need different instruction on how to handle it.

For now I just deleted the files and the site seems to be ok.

If some techie person wishes to elaborate on this, please feel free to steal the thunder here.

***Make sure you do searches for thumb.php and timthumb***

(I found a couple more little devils hiding in the brush)
#alert #fancy #hackers #theme #vital #wordpress
  • Profile picture of the author cherylwaller
    here is some additional information and also some instructions (scroll to bottom) to see if you have been hacked Zero Day Vulnerability in many Wordpress Themes | mm
    Signature

    >>>> Want to Steal All 4 of my WSOs for under $10??? <<<< (pssst... 2 have full PLR)

    Facebook: Fan Page (past 5k limit for personal profile)
    Google+: Circle Me SEO, SEM, SMM, SMO & Warrior Circles
    Twitter: Follow Me

    {{ DiscussionBoard.errors[4396839].message }}
    • Profile picture of the author Jill Carpenter
      Anyone else who may have headway - they have pushed an update which solves the issue.

      It looks like it is recommended that you delete old versions after you have updated.

      There are going to be a TON of people using wordpress who are not paying attention - so please comment to keep this thread active for a bit and help spread the word.
      Signature

      "May I have ten thousand marbles, please?"

      {{ DiscussionBoard.errors[4396914].message }}
  • Profile picture of the author Gary King
    Thanks for sharing Jill, it never hurts to spread good info for others to help protect themselves.

    All success,

    Gary
    Signature

    ===========================
    OFFLINERS! Warning: Unless You Know These Pricing Secrets, You are Leaving THOUSANDS on the Table. Get Your Free Report Now.
    {{ DiscussionBoard.errors[4396939].message }}
  • Profile picture of the author GregSilva
    Thank you for the heads up, Jill. I will look for this on my Wordpress blogs right now.
    {{ DiscussionBoard.errors[4396977].message }}
    • Profile picture of the author Jill Carpenter
      Originally Posted by GregSilva View Post

      Thank you for the heads up, Jill. I will look for this on my Wordpress blogs right now.
      I saw this initially and was like, "oh crap, I'm too lazy to go into my cpanel and look for this right now."

      And then I thought, "oh crap, it will be me who has this silly file on one of my sites and gets hacked while I sleep."

      And then I said to myself, "Jill, you need a cocktail, and you need to get your arse into the cpanel and take care of this."

      True story. :p
      Signature

      "May I have ten thousand marbles, please?"

      {{ DiscussionBoard.errors[4397002].message }}
  • Profile picture of the author BridgetSielicki
    Thanks for the heads up Jill, these files are something everyone should definitely check for, especially since an infected site may not appear to be infected right away
    {{ DiscussionBoard.errors[4397020].message }}
  • Profile picture of the author joseph7384
    [DELETED]
    {{ DiscussionBoard.errors[4397143].message }}
    • Profile picture of the author Jill Carpenter
      Originally Posted by joseph7384 View Post

      I followed theses instructions and the search result was no file found, are there any other files or themes that I should be concerned with.

      Joseph
      You may be ok.

      It is only specific plugins and themes - but it is a good number of them and so many people use wordpress in general it is good to check.

      Odds are if you are using a lot of free themes you will be ok. This tends to fall more toward premium themes or paid plugins.
      Signature

      "May I have ten thousand marbles, please?"

      {{ DiscussionBoard.errors[4397224].message }}
    • Profile picture of the author DaveDempsey
      Originally Posted by joseph7384 View Post

      I followed theses instructions and the search result was no file found, are there any other files or themes that I should be concerned with.

      Joseph
      Well this script can be ran from any file name ending in .php. So the creator of your theme might have labeled it something else.

      The best place to check is your theme's creators website. I found out from mine that the file I was looking for was thumb.php (check on their blog if they have one).
      Signature

      [FREE WSO – Facebook Page Takeover] How to ‘Kill It’ on Facebook (FOR FREE!)
      {{ DiscussionBoard.errors[4397233].message }}
      • Profile picture of the author ExRat
        Hi Jill,

        There's a little lesson here, that perhaps not everyone will see.

        I once wasted some good money on a fancy theme that was supposed to make life easier but it did the opposite.

        There is a tendency for people to jump on the bandwagon when others talk about how cool a paid theme is, because it has easy to use functions in the menus etc and it looks cool.

        I eventually went the other way after learning the lesson. I learnt how to use child themes and I utilise the most common basic themes that come with Wordpress. I'm pretty keen on the 2010 theme and with a child theme you can change almost anything easily (once you grasp a little CSS).

        Lesson 1 - all that glitters is not gold.

        Lesson 2 - real IMers aren't scared of a little code and prefer to be in total control

        HTH
        Signature


        Roger Davis

        {{ DiscussionBoard.errors[4397365].message }}
        • Profile picture of the author Jill Carpenter
          Originally Posted by ExRat View Post


          Lesson 1 - all that glitters is not gold.

          Lesson 2 - real IMers aren't scared of a little code and prefer to be in total control

          HTH
          Well, I'm going to agree to disagree with you.

          I like to play with fun and fancy stuff that honestly I just don't have the time to learn how to code from scratch.

          All that glitters may not be gold, but some of it sure is purdy.
          Signature

          "May I have ten thousand marbles, please?"

          {{ DiscussionBoard.errors[4397474].message }}
          • Profile picture of the author ExRat
            Hi Jill,

            Well, I'm going to agree to disagree with you.
            That's great, we can possibly learn something from each other here

            I like to play with fun and fancy stuff
            Of course, we all do. But put your business head on - how would you like to play with fancy stuff that gives you lots more control over your business and a feeling of empowerment, plus the knowledge that something is actually way less complicated than you thought and that you are capable of cracking it?

            Imagine what it feels like to be able to alter anything on your theme without anyone elses assistance (except perhaps Google)?

            I just don't have the time to learn how to code from scratch
            That's the point I'm getting at in a nutshell (in two parts).

            1) you can't not have the time to learn this stuff, if you're an IMer. It's more important than almost anything else, unless you can afford a full time assistant for these things (and most people will probably only get to that point by doing it themselves initially.) That assistant is just a luxury in reality. Plus there's nothing more important with an assistant, than being able to show them how to do something when they get stuck. That way, they know that you know what their job entails.

            2) this one's the kicker - I know that code is frightening, but it's one of those optical illusions. I'm talking about absolute basic CSS. It's not really 'code'. There is one difficult mountain to climb before seeing it from a different perspective. That mountain might take an hour or two of frustration and complete bewilderment.

            Many will give up on that mountain saying to themselves 'I'm just not cut out for this' and there are tons of 'mountain-climbed-coders' waiting to hold hostage those who haven't got the intestinal fortitude to make that climb.

            The most important mountains we can ever climb are the ones where we nearly give up because 'I'm just not cut out for this.' Climb enough of those and one can do anything.

            If you hear a voice within you say "you cannot paint," then by all means paint, and that voice will be silenced - Vincent Van Gogh.
            It matters not whether I convince you Jill, but I at least have to give it my best shot

            All that glitters may not be gold, but some of it sure is purdy.
            LOL.

            Why does that statement sound so delightfully (but scarily) feminine? Sends my wallet into shock mode!
            Signature


            Roger Davis

            {{ DiscussionBoard.errors[4397783].message }}
            • Profile picture of the author sanssecret
              OMG, I use Elegant themes and they use this in all their themes. Still, I've managed to go in and edit the files.

              My problem is, the lower half of the article, (how to find out if you've been hacked) has me totally bamboozled. (not hard to do I admit ).

              Can someone explain to me what the heck 'ssh' is? And how do I use it? And what the heck is 'grepping'? Techie? Kinky?

              Just a thought... ( I do get them occasionally), has this been posted in the SEO/programming forum? Might be worth having it in there where the geeks hang out and they can come up with a quick fix solution for us all.
              Signature
              San

              The man who views the world at fifty the same as he did at twenty has wasted thirty years of his life. ~Muhammad Ali
              Pay me to play. :) Order a Custom Cover today.
              {{ DiscussionBoard.errors[4398264].message }}
              • Profile picture of the author Brian Alaway
                Originally Posted by sanssecret View Post


                Can someone explain to me what the heck 'ssh' is? And how do I use it? And what the heck is 'grepping'? Techie? Kinky?
                Think of it as encryption for your file transfers. Highly recommended. They mention Putty and WinSCP for client support but Filezilla also supports SSH/SFTP.
                Hostgator Support - How do I get and use SSH access?

                If you're not using HG, you may need to call you hosting support to make sure they offer ssh access, what port to use and they may need to activate it for you (e.g. Bluehost uses port 22 and HG uses port 2222).

                grep - Wikipedia, the free encyclopedia
                {{ DiscussionBoard.errors[4401446].message }}
              • Profile picture of the author SteveJohnson
                Originally Posted by sanssecret View Post

                OMG, I use Elegant themes and they use this in all their themes. Still, I've managed to go in and edit the files.

                My problem is, the lower half of the article, (how to find out if you've been hacked) has me totally bamboozled. (not hard to do I admit ).

                Can someone explain to me what the heck 'ssh' is? And how do I use it? And what the heck is 'grepping'? Techie? Kinky?
                Get your hosting company to do it for you. They can pipe the results to a text file you can download.

                'SSH' is a protocol (like HTTP or FTP) for talking directly to a server, in server language, kind of like the old DOS language.

                PuTTY and others are programs that are called 'terminal emulators' - they act like the old computer terminals. They use the SSH protocol to let you interact with the actual web server machine.

                'Grep' is a search program that runs on the web server machine. It's kind of a standard program that's included with the Linux operating system that most web servers run.
                Signature

                The 2nd Amendment, 1789 - The Original Homeland Security.

                Gun control means never having to say, "I missed you."

                {{ DiscussionBoard.errors[4401711].message }}
        • Profile picture of the author CDarklock
          Originally Posted by ExRat View Post

          I once wasted some good money on a fancy theme that was supposed to make life easier but it did the opposite.
          I was using a theme called "Adventure Journal." I upgraded to WP 3.2.1 and it broke. I upgraded AJ to the latest version and it was still broken. I switched to the default WP Twenty Eleven theme, tweaked three settings, and it looks more or less like AJ did. I'm pretty sure Twenty Eleven will just continue to work forever.
          Signature
          "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
          {{ DiscussionBoard.errors[4398047].message }}
  • Profile picture of the author DaveDempsey
    Thanks for the heads up! This looks nasty I just hope no one here is affected badly.

    Time to check my servers.
    Signature

    [FREE WSO – Facebook Page Takeover] How to ‘Kill It’ on Facebook (FOR FREE!)
    {{ DiscussionBoard.errors[4397146].message }}
  • Profile picture of the author imdomination
    Thanks for posting this Jill. I know someone who has had their site hacked, the title of their site changed to some relatively pornographic keywords and their ranking has gone from #3 to #54 for the keyword so far because of it.

    Not a good thing at all, at least none of my sites have the file.
    {{ DiscussionBoard.errors[4398014].message }}
  • Profile picture of the author Apollo-Articles
    Thanks, did a search and found it within one theme - updated to the latest version as recommended.

    Sam
    {{ DiscussionBoard.errors[4398854].message }}
    • Profile picture of the author Jill Carpenter
      Originally Posted by sanssecret View Post

      OMG, I use Elegant themes and they use this in all their themes. Still, I've managed to go in and edit the files.

      My problem is, the lower half of the article, (how to find out if you've been hacked) has me totally bamboozled. (not hard to do I admit ).

      Can someone explain to me what the heck 'ssh' is? And how do I use it? And what the heck is 'grepping'? Techie? Kinky?

      Just a thought... ( I do get them occasionally), has this been posted in the SEO/programming forum? Might be worth having it in there where the geeks hang out and they can come up with a quick fix solution for us all.
      Ha ha. Grepping does sound a bit dirty. Especially when you tell me to shh before you do it.
      Signature

      "May I have ten thousand marbles, please?"

      {{ DiscussionBoard.errors[4399157].message }}
  • Profile picture of the author sbucciarel
    Banned
    I use Woo Gazette theme a lot. Just checked and it appears that they have renamed timthumb.php to thumb.php.

    I just edited thumb.php to the recommended changes and uploaded it at
    http://domainingdiva.com/thumb.php

    If you use it and your files are called timthumb.php instead of thumb.php, just rename the file to timthumb.php

    The file can be found in your theme folder, so if say ... you use Gazette, it would be found in
    domain.com/wp-content/themes/gazette/
    {{ DiscussionBoard.errors[4399380].message }}
  • Profile picture of the author BIG Mike
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[4399728].message }}
    • Profile picture of the author Istvan Horvath
      Originally Posted by BIG Mike View Post

      My theme has 2 just two files - index.php,[...] and styles.css, [...].
      Most present users don't know that before WP version 1.5, when the theme system has been introduced... actually, we used exactly that: an index.php and a style.css file. Nothing else

      The very first themes were made by "cutting up" that index file into pieces and naming them based on what they contained:
      - header.php
      - index.php (the main 'body' part of the original index)
      - sidebar.php
      - footer.php

      It was supposed to make the customization easier.

      Then some general template files were added; all of them, practically, replace the main index file when they are called into the above "scheme". In other words, when you display a list of older posts in a certain month (aka archives of your posts) the archives.php will replace the index; when a Page is shown, page.php comes in, for one post - single.php etc.

      The last major change was adding the functions.php... and from there nobody can follow what's going on.

      Even between the last two 'official' WP themes (2010 & 2011) there are so many essential differences that you have to learn them from scratch.

      [here goes your theme history in a nutshell...]
      Signature

      {{ DiscussionBoard.errors[4402780].message }}
      • Profile picture of the author BIG Mike
        Banned
        [DELETED]
        {{ DiscussionBoard.errors[4402813].message }}
        • Profile picture of the author McT
          Thanks for the heads up. Checked for the file through cpanel and took care of the problem as per the instructions.

          Best Regards
          Barb
          {{ DiscussionBoard.errors[4402995].message }}
  • Profile picture of the author Lyanna
    Thank, I had Timthumb on two WP blogs. Fixed and no problems with hacking, thank goodness. Three of my images got broken (from the blog in my sig) but its not too bad, easily fixed once I have the time.
    {{ DiscussionBoard.errors[4400083].message }}
  • Profile picture of the author Matt Ward
    Thanks for this notice! I had 2 sites that have this plugin incorporated, and yes, it was vulnerable. I think there are a lot of older themes that use this plugin and may never be updated... scary.

    edit: It seems as though external loading is set to "false" by default, so it may not be as huge of an exploit as it seems. It's still an issue to be concerned about, though.
    Signature
    "Keep moving forward."
    {{ DiscussionBoard.errors[4400931].message }}
  • Profile picture of the author Dustin Goode
    Thank you for the heads up! I had to edit a few of my sites' timthumb.php!
    Signature

    -Dustin

    {{ DiscussionBoard.errors[4401134].message }}
  • Profile picture of the author GoldenGlovez
    I have quite a few sites running themes that use timthumb. Updated them all this morning quick and painless! Less than 5 minutes to update about 10 sites using timthumb. Don't slack on fixing this huge security issue!
    {{ DiscussionBoard.errors[4401722].message }}
  • Profile picture of the author Blacklisted
    interesting..
    {{ DiscussionBoard.errors[4401877].message }}
  • Profile picture of the author CyberSorcerer
    Just to let other know, who might be using 'ProfiteThemes', I found the same $allowedSites array in thumb.php on line 24.
    {{ DiscussionBoard.errors[4401994].message }}
  • Profile picture of the author Chris Mercer
    Just updated mine as well (using OptimizePress). Everything seems to be working so far... thanks for the keeping this topic alive!

    I was in the same "procrastination" phase as you were Jill... sadly... no cocktails nearby.

    BTW... Anyone try this one yet?

    http://markmaunder.com/2011/a-secure...-as-wordthumb/


    - Mercer
    Signature
    Discover Seriously Simple Marketing...
    http://www.SeriouslySimpleMarketing.com
    {{ DiscussionBoard.errors[4403401].message }}
    • Profile picture of the author Jill Carpenter
      Originally Posted by Chris Mercer View Post

      I was in the same "procrastination" phase as you were Jill... sadly... no cocktails nearby.
      It's always good to have a bottle on hand just for emergency occasions like this.
      Signature

      "May I have ten thousand marbles, please?"

      {{ DiscussionBoard.errors[4406974].message }}
  • Profile picture of the author Lyanna
    Turns out some images of mine are now bad/not loading but I am too lazy to fix it still. I'm glad I was at least able to fix the security of my blogs but going back and doing those images again will be a pain.
    {{ DiscussionBoard.errors[4408885].message }}
    • I just had a visit to my blog from a Russian hacker.

      I know this because I have Clicky. And he was looking for ET WordPress themes.

      Fortunately, yesterday I uploaded the new safe theme. And I did a full backup and stored it on my computer.

      It still runs a chill down your spine, though.

      fLufF
      --
      Signature
      Fiverr is looking for freelance writers for its blog. Details here.
      Love microjobs? Work when you want and get paid in cash the same day!
      {{ DiscussionBoard.errors[4408912].message }}
  • Profile picture of the author dsouravs
    Elegant themes also have timthumb.php
    Signature

    I can convert your Non-Responsive website to Responsive website ... How sweet is that? :)

    {{ DiscussionBoard.errors[4409072].message }}
    • Profile picture of the author Dennis Gaskill
      Originally Posted by CyberSorcerer View Post

      Just to let other know, who might be using 'ProfiteThemes', I found the same array in thumb.php on line 24.
      What that suppose to be "ProfiteThemes" ... just curious because there's also a "Profits Theme" so I wondered if it was a typo?
      Signature

      Just when you think you've got it all figured out, someone changes the rules.

      {{ DiscussionBoard.errors[4409315].message }}
      • Profile picture of the author MikeHumphreys
        Originally Posted by Dennis Gaskill View Post

        What that suppose to be "ProfiteThemes" ... just curious because there's also a "Profits Theme" so I wondered if it was a type?
        Just checked... there is a thumb.php file with the same TimThumb coding in the Profits Theme.
        {{ DiscussionBoard.errors[4409520].message }}
        • Profile picture of the author Dennis Gaskill
          Originally Posted by MikeHumphreys View Post

          Just checked... there is a thumb.php file with the same TimThumb coding in the Profits Theme.
          Yup, found the same thing and fixed. I only found one copy of it, though one article I read said there could be more than one copy in various locations. Did you find just the one copy too, or more?
          Signature

          Just when you think you've got it all figured out, someone changes the rules.

          {{ DiscussionBoard.errors[4409850].message }}
          • Profile picture of the author Alex Barboza
            Originally Posted by Dennis Gaskill View Post

            Yup, found the same thing and fixed. I only found one copy of it, though one article I read said there could be more than one copy in various locations. Did you find just the one copy too, or more?
            Can you please tell me wher you found that on Profits Theme? I searched but couldn't find anything :confused:
            {{ DiscussionBoard.errors[4446836].message }}
  • Profile picture of the author Lyanna
    Yes, some phps on mine were not named timthumb but just "thumb" but it contains the same security vulnerability. Fixed all so far no hacking problems, just broken image links.
    {{ DiscussionBoard.errors[4412021].message }}
    • Profile picture of the author sbucciarel
      Banned
      Originally Posted by Lyanna View Post

      Yes, some phps on mine were not named timthumb but just "thumb" but it contains the same security vulnerability. Fixed all so far no hacking problems, just broken image links.
      Strange ... I fixed all mine and my image links are not broken. All my images are still there.
      {{ DiscussionBoard.errors[4412680].message }}
      • Profile picture of the author Lyanna
        Originally Posted by sbucciarel View Post

        Strange ... I fixed all mine and my image links are not broken. All my images are still there.
        I don't know what's up with mine yet. I haven't investigated. The broken images are on a blog I don't use a lot and it's the weekend so I'm just chilling for now. Monday is soon enough for work.
        {{ DiscussionBoard.errors[4413231].message }}
        • Profile picture of the author samtam
          Just got an email regarding Timthumb danger from my hosting company, going to check it out, better be safe than sorry.
          {{ DiscussionBoard.errors[4446796].message }}
  • Profile picture of the author Bob Willoughby
    Sure enough I found one! Thanks for the heads up!
    Bob
    {{ DiscussionBoard.errors[4413220].message }}

Trending Topics