0
Welcome Guest! Login
0 items Join Now

ROCKETTHEME IS CLOSING ON JUNE 30, 2025. As a thank-you to our community, enjoy 50% off all themes with the promo code THANKYOU before we shut down. Read our Farewell Blog Post for more details.

Timthumb Exploit

    • DrMath's Avatar
    • DrMath
    • Newbie
    • Posts: 5
    • Thanks: 0

    Timthumb Exploit

    Posted 13 years 6 months ago
    • Hey guys.

      I was wondering if you'll be pushing through an update for your themes and plugins for Wordpress that either update the Timthumb image resizing script or replace it with something else since the vulnerability in its code was discovered that allows exploiters to compromise any sites currently running these themes. (See this link for a description of the exploit markmaunder.com/2011/08/01/zero-day-vuln...ny-wordpress-themes/ ). Currently all sites running your themes are vulnerable and probably don't know it.

      Just wondering if a fix would be published by your team or if customers will be left to fix the issue themselves?
  • Re: Timthumb Exploit

    Posted 13 years 6 months ago
    • yes my site was just hacked because of the timthumb exploit. My web host just sent me an email informing me of the compromised site and they said it came from timthumb. where can i find this. All exploits seem to fall into the roxnewspager folder and the cache folder inside roxnewspager. I have this plugin disabled at the moment. how can i fix this?
    • cdavis411's Avatar
    • cdavis411
    • Preeminent Rocketeer
    • Posts: 17787
    • Thanks: 882

    Re: Timthumb Exploit

    Posted 13 years 6 months ago
    • thank you for the information. I will pass this on to the proper personnel. :)
    • Tyndie's Avatar
    • Tyndie
    • Preeminent Rocketeer
    • Posts: 8804
    • Thanks: 5

    Re: Timthumb Exploit

    Posted 13 years 6 months ago
    • Joseph Zimmerman wrote:
      yes my site was just hacked because of the timthumb exploit. My web host just sent me an email informing me of the compromised site and they said it came from timthumb. where can i find this. All exploits seem to fall into the roxnewspager folder and the cache folder inside roxnewspager. I have this plugin disabled at the moment. how can i fix this?

      Hi,

      Did you keep all of your plugins and theme upto date with the latest version? What is the php interface does your web host use in its apache configuration? Were any of your folders set to chmod level 777 instead of 755?

      There is a whole load of reasons as to why your site could have been hacked(I have only touched on a few), please can you provide a ftp, admin login, and ask your host for the server logs to your account.
    • Tyndie's Avatar
    • Tyndie
    • Preeminent Rocketeer
    • Posts: 8804
    • Thanks: 5

    Re: Timthumb Exploit

    Posted 13 years 6 months ago
    • DrMath wrote:
      Hey guys.

      I was wondering if you'll be pushing through an update for your themes and plugins for Wordpress that either update the Timthumb image resizing script or replace it with something else since the vulnerability in its code was discovered that allows exploiters to compromise any sites currently running these themes. (See this link for a description of the exploit markmaunder.com/2011/08/01/zero-day-vuln...ny-wordpress-themes/ ). Currently all sites running your themes are vulnerable and probably don't know it.

      Just wondering if a fix would be published by your team or if customers will be left to fix the issue themselves?


      Hi,

      That post is a few months old now, and the timthumb script has been updated since then.
  • Re: Timthumb Exploit

    Posted 13 years 6 months ago
    • I realize the other post is a few months old but the exploit is what i said. The folder is 755. I tried to dig around for the timthumb.php but all i can find is the thumb.php inside the roknewspager. I keep all my plugins up to date. Where would i update the timthumb itself? i have no plugin that is just timthumb so i assume it is part of something else and i figure that it was built into the RNP. This is on wordpress and i see no updates for individual plugins here like you do with the joomla extensions.I do all my plugin updates through the wordpress admin area. Here is the email my hosting company sent:

      1.1 The hackers processed the attack through a security leak in your following
      software:
      Timthumb plugin of your CMS

      1.2 Via this security leak, the hackers have uploaded the following malicious files to your webspace:
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/bfe2f6eafd146e7d97b033ecaa3.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/5a220a0963f6389bd266dc3837.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/5555vca55rd.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/.5555wp-rs55s.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/55555bo55x.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/55555anc55ok.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/5b9c469c0d31b49941035d668b.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/555555tim5e.txt
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/5555bb.jpg
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/3566f1999f21981fab6a6dc2ca2.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/bda6fa7a9fa851d84ce3663d26.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/dc43a682224e61e633c32222.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/5555dog5les.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/5555k5.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/4ef5475b54a2df06cdb2f27ca.php
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/5555probot
      ~/servelegal/wp-content/plugins/wp_roknewspager/cache/fa1852d1bd51d614fef78a86e3.php

      1.3 In order to impede further attacks, we have disabled these files. Please note that part of your websites may be impaired.

      ******************************************************************************
      2. Required measures
      ******************************************************************************
      In order to reactivate your websites and re-establish the security of your 1&1 account, observe the following instructions.

      2.1 Replace your following software with an updated and secured version:
      Timthumb plugin of your CMS
      You will further information on:
      code.google.com/p/timthumb/
  • Re: Timthumb Exploit

    Posted 13 years 6 months ago
    • Hi,

      All of our plugins have updated version of TimThumb script inside of it. The file named thumb.php is the TimThumb script but just renamed from timthumb.php to thumb.php. The best thing to do is to grab the newest version of the plugin from the plugins package of your theme. If you don't want to update the whole plugin you can just grab the file from the link your host gave you - code.google.com/p/timthumb/ rename it to thumb.php and place in the plugin directory.

      If you need any additional instructions, just let me know.

      Thanks,
      Jakub
    • Remember to always post a link to the site you're having problem with.
  • Re: Timthumb Exploit

    Posted 13 years 6 months ago
    • ahh i didnt realize the plugins had to be updated manually. I thought they would show needing updated via the admin area of wordpress like the other plugins do. I actually did what you said but i wasn't 100% sure if the rename of the file would work or if there was custom code added into it. It seemed to work without issue but i wanted to be sure before i let the plugin active again. Thanks for the info. Love the templates and have been using your stuff since i started with original joomla years ago
  • Re: Timthumb Exploit

    Posted 13 years 6 months ago
    • Hi,

      For a plugin to appear in WP update panel it needs to be placed in the WordPress.org plugins directory, and since our plugins are premium they cannot be placed there. Thanks for all kind words!

      Jakub
    • Remember to always post a link to the site you're having problem with.

Time to create page: 0.085 seconds