The Google Malware warnings started popping all over the internet early this month and even now, sites are still being infected by autonomous internet scripts. If you’re running a WordPress site with a custom premium theme, you might already be seeing the above message when you try to visit your website (hopefully not….). The problem lies with a vulnerability recently discovered in a popular image manipulation script called Timthumb. The script is very popular among premium WordPress Themes which makes this exploit particularly dangerous being that exploit code has been in the wild for several weeks already. The good news is, I’m going to review not only how-to detect if you’ve already been infected but also how-to patch your blog to prevent getting infected in the first place.
How to check if you have a problem
Other than seeing a warning in Chrome similar to the one above while visiting your site, there are two easy ways to see if your WordPress installation has been infected.
The first is an external wordpress scanner designed by Sucuri: http://sitecheck.sucuri.net/scanner/
The second is a server side script that you upload to your site and then load from a web browser. This is available at http://sucuri.net/tools/sucuri_wp_check.txt and will have to be renamed after download as per Sucuri’s instructions below:
- Save script to your local machine by right clicking the link above and save link as
- Login to your site via sFTP or FTP (We recommend sFTP/SSH)
- Upload the script to your root WordPress directory
- Rename sucuri_wp_check.txt to sucuri_wp_check.php
- Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
- Check the results
If the scanners pull up anything infected, you’ll want to directly remove the infected files immediately. But, even if the scanners show “all clear” you likely still have a problem with your actual timthumb installation.
How do I fix it?
First, if you haven’t already done so –backup and download a copy of your WordPress directory, and your MySQL database. For instructions on backing up the MySQL database see the WordPress Codex. Your backup may contain junk, but it’s better than starting over from nothing.
Next, grab the latest version of timthumb at http://timthumb.googlecode.com/svn/trunk/timthumb.php
Now we need to secure the new timbthumb .php and make it so external sites cannot activate run scripts. To do this follow these steps:
- Use a text editor like Notepad++ and go to line 27 in timbthumb.php – It should read $allowedSites = array (
- Remove all of the sites listed such as “imgur.com” and “tinypic.com”
- After removing everything the parenthesis should now be empty and closed like this: $allowedSites = array();
- Save changes.
Okay, now that your new timbthumb script is secure, you’ll need to connect to your website’s server via FTP or SSH. In most WordPress custom themes that use timbthumb, it is located in the wp-content\themes\[themename] folder. Delete the old timbhumb.php and replace it with the new one. If you have more than one copy of timbthumb on your server you’ll need to be sure to replace ALL of them –note that sometimes they will just be called thumb.php.
Once you have updated timbthumb on your web server and cleared out any of the files that were detected by the above scanners, you’re more or less good to go. If you think you might be upgrading a bit to late and you might already be infected, you should contact your web host immediately and ask them to do a full AV scan of your web server. Hopefully then can help fix ya up otherwise you might need to revert back to a backup.