Knowledgebase

Portal Home > Knowledgebase > Articles Database > how to fix issue timthumb.php and thumb.php


how to fix issue timthumb.php and thumb.php




Posted by gold2, 02-18-2012, 08:12 AM
Hello My server mostly stable but suddenly server got overload becz of image screen. when i suspend this site then one another site suddenly got this issue after some hrs please check attach image i have CENTOS 6.2 i686 CPngnix Attached Thumbnails   Last edited by gold2; 02-18-2012 at 08:18 AM.
Posted by pmabraham, 02-18-2012, 12:25 PM
Good day: The latest timthumb.php can be found at http://timthumb.googlecode.com/svn/trunk/timthumb.php Make sure any site using timthumb.php has an up to date version. Thank you.
Posted by tvcnet, 02-18-2012, 08:56 PM
Hi, This timthumb exploit started back in August 2011. Wordpress is the most commonly installed place where timthumb scripts are implemented, so hackers are once again taking advantage of the situation once again (now an over five months old issue). When clients call me fix their Wordpress sites I usually run this command first. find `pwd` -type f \( -iname thumb.php -or -iname timthumb.php \) -exec grep -HP 'define ?\(.VERSION' {} \; Consider any timthumb.php script oder than 2.0 hackable. Each older than 2.0 will need to be replaced respectively. Best Wishes, Jim Walker
Posted by gold2, 02-19-2012, 02:54 AM
Thank you for clarification i just run this command but after some second nothing found any thing root@server2 [~]# find `pwd` -type f \( -iname thumb.php -or -iname timthumb.php \) -exec grep -HP 'define ?\(.VERSION' {} \; root@server2 [~]#
Posted by brianoz, 02-19-2012, 08:43 AM
I was about to ask whether anyone knew which versions would cause trouble - thanks for that answer. Is it sufficient just to overwrite any version of timthumb.php on the server with a new version?
Posted by brianoz, 02-19-2012, 08:45 AM
Run it from /home. ie: run this first: or simply change the find `pwd` part to be find /home
Posted by pmabraham, 02-19-2012, 11:38 AM
Good day: http://timthumb.googlecode.com/svn/trunk/timthumb.php is the most current version. If you are using WordPress, then log into WordPress as the admin user, and perform any updates to WordPress, themes, plugins, etc. Then run the find command ( well written except I would have simplified it with just a . in place of the call to pwd --> find . -type f \( -iname thumb.php -or -iname timthumb.php \) -exec grep -HP 'define ?\(.VERSION' {} \; ) to see what it finds. Of note, Thesis might show up, and if so, at least from one of our clients who use Thesis (WordPress Framework) the version, while lower than 2.x, is secured from these types of attacks / vulnerability. Thank you.
Posted by fshagan, 02-19-2012, 02:05 PM
Are you getting slammed with requests for "TimThumb" by hackers looking for vulnerabilities, even though you do not have the script on your site? That looks like what's happening to me. It doesn't matter how updated it is if you are getting what amounts to DDoS-level requests for the old, un-updated file. To protect against that, a good set of mod_security rules will help block the IPs that try to hammer your server.
Posted by gold2, 02-21-2012, 12:42 PM
Thank you all guy for reply pls check attach still attack on timthumb.php or thubm.php but when i check same location i con't find any these location and i con't find any thumb.php or timthumb.php on hole account ????????? Attached Thumbnails  


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Increase nf_conntrack value (Views: 565)
problem with ftp and apf (Views: 772)
can't ftp to nas from cpanel backup (Views: 607)
Apache optimization (Views: 575)
remove a single file from mod_evasive rules (Views: 621)