Have you seen a loss in website traffic lately? Have a WordPress site? There is a hack that tells search engines your site has moved but causes your website to act normal when humans visit, making it very difficult to notice until it’s too late.
The hack is centered around the TimThumb.php vulnerability and allows a hacker to insert code on your server that would grant control of your site. Many WordPress themes (free and commercial) come bundled with this vulnerable file which was discovered by Mark Maunder on August 1st, 2011.
Woo Themes is one such company that came packaged with the timthumb exploit. Although they made an announcement on their website shortly after the discovery, they didn’t send out the following email notice until August 18th! (17 days later):
We’ve got a couple of very important announcements for you, so we’re hoping to steal 2 minutes of your time to keep you up-to-date on a few new things…
Recent TimThumb Security Issue
TimThumb (or thumb.php as you know it) – the open-source script we use in all of our themes to do dynamic image resizing – recently uncovered a critical security flaw in the script. This flaw is vulnerable to a potential hacker that could gain access to your server. This affects all of our existing themes and thus everyone that are currently using our themes.
Luckily we’ve moved very quickly and the script authors (along with the greater WordPress community) released an update which fixes this vulnerability. We have released updates to all of our themes and we highly recommend that you follow this guide and the steps set out in that to secure your theme / website.
Whilst this is a major security flaw, it should be treated in the same way as previous security issues with WordPress core. Most of the time when WordPress releases a major new version (i.e. 3.2), they will follow it up with an incremental release (i.e. 3.2.1) to fix security vulnerabilities. No need to panic thus, but you should act swiftly as we’ve described here.
If you have any questions, please e-mail us ASAP and we’d be happy to assist you in this regard.
NOTE: We recently worked with WordPress lead developer, Mark Jaquith, who did a full security audit of the WooFramework and we’ve implemented a couple of fixes in recent weeks. So beyond the above vulnerability, you can rest assured that your themes are very secure. More info here.
So, how do you know you’ve been hacked? If you have, then in one of the files you’ll see a base64 string that is massive in size (many, many lines). You can search for this through ssh using this command “grep -r base64_decode *” from your public_html (or other web directory).
Chances are you’ll also notice your htaccess file has redirect code in it that is hidden on the far right of the file with spaces used to push it out of site!
Fix the TimThumb Vulnerability by downloading the latest version at code.google.com/p/timthumb/
So, if you’re not sure your site’s theme came bundled with thumb.php or timthumb.php, you better stop what you’re doing now and search for the vulnerability before it’s too late. Malicious 301’s (permanent redirects) can kill a sites ranking and internet sales in a single day while recovery could take forever!