[resolved] [closed] TimThumb Hack (was WordPress 3.2.1 vanilla is FAR from secure...) (29 posts)

  1. rezwalker666
    Posted 4 years ago #

    Hi guys,

    Been using WP for about a year now, loving it.

    Today though, has been a nightmare. Got a new domain on a hot topic, installed newest version of WP (3.2.1) and it got hacked within minutes. I had NO plugins, NO special themes.

    Got attacked by some malware URLs:

    ErrorDocument 400 generation-internet.ru/pcollection/index.php
    ErrorDocument 401 generation-internet.ru/pcollection/index.php
    ErrorDocument 403 generation-internet.ru/pcollection/index.php
    ErrorDocument 404 generation-internet.ru/pcollection/index.php

    [Mod. - Delinked to not make them clickable. Let us not help the spammers.]

    Pretty ridiculous, and very frustrating.

    I'd like to know how this got in my htaccess file exactly... Working with my VPS hosting company but it's not going anywhere.

    I've re-installed it several times, I've even installed the Secure WordPress plugin, and still infected.

  2. alamest
    Posted 4 years ago #

    I do have also faced the same problem.. I don't know what to do.. I am too totally frustratin... If I downgrade it, it will not go out..

    Please do update it is important..


  3. cometulm
    Posted 4 years ago #

    Same here.. This has cost me a lot of time today........ I have moved all the sites and disabled them as every time I fix the .htaccess file it happenes again soon there after. I hope I got it until there is a fix...

  4. rezwalker666
    Posted 4 years ago #

    Of course, it all comes down to clamping down the security of your WP installation. I was under the impression that WP comes pretty secure, but nope. I have to re-write htaccess, change permissions, etc... Not everybody knows how to do this, so how about those other millions of blog out there? :o

  5. alamest
    Posted 4 years ago #

    Hi Rezwalker66 can you tell me how did you do that.. can you please take a time and write it down by step by step..I will appreciate that..

    Waiting for your reply..


  6. Daniel Cid
    Sucuri.net Support
    Posted 4 years ago #

    Where are you hosting your site? What themes do you have installed? That can make a big difference.

    *If WP 3.2.1 itself was vulnerable, you would see a lot more hacked sites.


  7. cometulm
    Posted 4 years ago #

    I have this happening on many different servers that are all secure. It was fine before the latest update but some of my sites have not been found yet it seems. Since I took them down no issues. I would love to see what the changes were to make it secure as I am going to have to change to another platform if not patched soon....

  8. Of course, it all comes down to clamping down the security of your WP installation.

    +1 for that and good job locking down your install. It takes effort but is definitely worth it.

    *If WP 3.2.1 itself was vulnerable, you would see a lot more hacked sites.

    Amen to that!

    Guys? WordPress is not your web server or hosting provider. It's just another software package that you are running.

    It's not easy to keep it all up to date, but reflexively blaming WordPress will a) not solve your problem and b) waste your time when you keep getting hacked.

    If you run or are using an insecure web server, if you don't keep up your versions of your web server software, your PHP, your support libraries, your Linux distro, etc. then you will get hacked. It's too easy for bots to find vulnerable installations; they're not targeting YOU, they are looking for low hanging fruit.

    There is hope and if you've the patience and are willing to learn new things then give these a read.

    Safety net: I tell you three times, backup, backup, backup. And learn how to restore. Practice restoring, with a good file and database backup you'll have the best way to fix things. Automated backups are your friend and I keep mine off the web server every night.


    Harden your installation. Your web server runs as a userid and there is not really a good reason to let all userids on your server be able to write to the WordPress directories. You can really lock down the file system but some nice features such as auto update will not work. You'll have to update your themes, plugins, and WordPress files by hand if you tighten the permissions too much. If you keep getting hacked, then that maybe the way to go.


    These are good starts. With a little system administration experience under your belt, you'll enjoy having a good WordPress install.

  9. vickie
    Posted 4 years ago #

    It seems to be similar to this topic raised yesterday - same malware but the security hole wasn't thumb.php here if it was a clean install with no plugins/themes


    Very interested to know if anyone's found any (encrypted) links in the database?

    Thank you

  10. cometulm
    Posted 4 years ago #

    Yeah, I see posts popping up all over the internet today about this.... Pretty much as soon as I hid the installs for the time being and corrected all htacess files it stopped. I am today going through and implementing many of the ideas offered here and will put one WP back up at a time to see where it is coming from..

    Thanks everyone for the info!

  11. rezwalker666
    Posted 4 years ago #

    Yeah, love the thread guys, keep the ideas coming. Let's stay strong and vigilant.

    I think the lesson here is that no one is immune, but you can minimize damage.

    Great points brought up by Jan, I was actually reading on those things last night. Unfortunately I was messing around with my htaccess file and permissions and broken stuff, but hey that's how you learn!

    Just like I learned how crucial backups can be.

    Btw, I'm having my VPS host look into the logs as we speak to see how the rewrites were injected, ill report my findings here.

  12. cometulm
    Posted 4 years ago #

  13. Got a new domain on a hot topic, installed newest version of WP (3.2.1) and it got hacked within minutes.

    Then the issue is your webhost. Or your pc.

    http://www.webhostingtalk.com/showthread.php?t=1073417 someone else had the same problem on the SAME host.

  14. cometulm
    Posted 4 years ago #

    They have no clue in that post as to what is even going on. It was a injection to the htacess file. If it was what that post said then it would still be happening to me. Also, that is not my host and I bet the others that had the issue are not on it either... Also, they did not even come close to figuring it out... Good try though.

  15. htaccess only protects you so far.

    Jan Dembowski nailed it in one.


    You need to lock down your site, not JUST your .htaccess but the files, your passwords, etc etc.

  16. cometulm
    Posted 4 years ago #

    All the other stuff was already completed. Thanks for your help.

  17. If it keeps happening after you've done that, scan your computer for viruses and consider moving to a new host.

  18. cometulm
    Posted 4 years ago #

    It has not. Thanks for your time. This was an injection issue this time from a Russian hacker into the htaccess file. It is a known injection that WP can be vulnerable to. Nothing new just a new person injecting. The new version is open to it and fixed with the tips offered here. With the upgrade or install it opened me up and is now fixed. I am sure if anyone reads this thread they could easily fix it for them selves. Thanks again.

  19. This was an injection issue this time from a Russian hacker into the htaccess file. It is a known injection that WP can be vulnerable to.

    Sorry for popping back in late, but that doesn't make sense.

    If someone has compromised your WordPress blog account or hosting account, then sure, being able to write to a .htaccess file is possible. But that means they got your password somehow and that's where the idea of checking your computer and host comes in.

    If you ran a plugin or theme that had insecure code (it happens, see http://wpcandy.com/reports/timthumb-security-vulnerability-discovered as a recent example) then it's an add-on and not WordPress. As I've said it happens and keeping up with this is work.

    If a stock 3.2.1 installation was vulnerable to what you say it is, then we'd see user installs falling down like dominoes and that's just not happening.

  20. It is a known injection that WP can be vulnerable to.

    Then stop posting and email the info to securityATwordpress.org ASAFP.

    But ... I've never heard of an injection like that, and as none of the suggestions here have to do with patching WordPress's core files, it's not WordPress.

    The fix looks like it's done by locking down your .htaccess. Which is server level security.

  21. cometulm
    Posted 4 years ago #

    LOL ok. Should be standard process as so many people out there do not know anything about that. Lucky you seem to. Most software like that comes with that integrated in already.

    We bow to you bro.

  22. Most software like that comes with that integrated in already.

    Actually no :) Most agnostic websoftware does not. It can't. It's not possible because every server is different. What works on Windows won't work on Linux etc and so on. Lighttpd and nginx and Apache all have different requirements.

    By Agnostic I mean software that can work on multiple server types, and NOT stuff like .net, which actually needs to be secured anyway outside of the app itself. Websoftware is not the same as your desktop software, and works by completely different rules.

  23. alamest
    Posted 4 years ago #

    I said my hosting provider and they have solved the problem for me.. guys you need to have good hosting provider all the time..

  24. SilverRayn5
    Posted 4 years ago #

    The problem I'm ran into is that the .htaccess files were modified. NOTE: they do not LOOK modified at first, but you should notice scroll bars which normally are not be there. That indicates that there is a lot more text in your file than you are currently seeing.

    In case your hosting provider doesn't help. Try this solution:

    First CHMOD your .htaccess file from 444 to 644. (It appears that the files were turned 444 after the edit that caused the problem.)

    Access (edit) your .htaccess file. MAKE A COPY! Then, clear it out. Add in something like this:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    AddType x-mapp-php5 .php

    # protect wpconfig.php
    <Files wp-config.php>
    order allow,deny
    deny from all

    # disable directory browsing
    Options All -Indexes

    #Protect .htaccess itself
    <Files ~ “^.*\.([Hh][Tt][Aa])”>
    order allow,deny
    deny from all
    satisfy all

    # END WordPress

    You can try checking this site http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676 or others if you want to see additional tips on how to secure your .htaccess file.

    Once you have saved your .htaccess file, save it.

    This should now have fixed the problem above.


  25. NissNass
    Posted 4 years ago #

    There's a hack that hit a couple weeks ago. Here's info about removing it. Search the directories it suggests for the files added by the malware:

  26. To be clear for folks, and to keep FUD down, this is not a CORE WordPress hack.

    TimThumb has a vulnerability. We have known this for a week now. If you are, or have ever, used it, you MUST delete it or upgrade it ASAP. AND you should still scan your files AND change your passwords.

    TimThumb 0-day vulnerability
    Affected themes
    SuperDomain information
    SuperDomain followup

    You can scan your site, free, at http://sitecheck.sucuri.net/scanner/

    It's safe to check. :)

  27. Devin Price
    Posted 4 years ago #

    One of my sites got hacked this weekend, so I wrote a post about how to look for the TimThumb scripts and clean up your WordPress install afterward: http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/

  28. Liv_H
    Posted 3 years ago #

    We have been using WordPress 3.2.1 for about a year now and all was well, until we recently changed our theme to Twenty ELeven. This combination makes it easy for hackers to install a trojan on our .htaccess file. They did it via FTP server. Does anyone have any other ideas on how to secure our site in addition to the below? Our hoster advised to upgrade the WP version but if we do that I am worried we will lose All in One SEO Pack and its configuration. Has anyone had any experience upgrading to latest version and keeping All in One SEO Pack stable?
    Our web hosting company suggested the following: change htaccess file to .txt, change all passwords (especially FTP server password), change default 'admin' in wordpress, disallow Directory Browsing, Secure wp-config.php, prevent script injection....and upgrading the version of WP to latest version.
    Hope with experience of 3.2.1 hack can assist here.

  29. esmi
    Forum Moderator
    Posted 3 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic