Portal Home > Knowledgebase > Articles Database > how to fix issue timthumb.php and thumb.php
how to fix issue timthumb.php and thumb.php
Posted by gold2, 02-18-2012, 08:12 AM |
Hello
My server mostly stable but suddenly server got overload becz of image screen. when i suspend this site then one another site suddenly got this issue after some hrs
please check attach image
i have CENTOS 6.2 i686
CPngnix
Attached Thumbnails
Last edited by gold2; 02-18-2012 at 08:18 AM.
|
Posted by pmabraham, 02-18-2012, 12:25 PM |
Good day:
The latest timthumb.php can be found at http://timthumb.googlecode.com/svn/trunk/timthumb.php
Make sure any site using timthumb.php has an up to date version.
Thank you.
|
Posted by tvcnet, 02-18-2012, 08:56 PM |
Hi,
This timthumb exploit started back in August 2011.
Wordpress is the most commonly installed place where timthumb scripts are implemented, so hackers are once again taking advantage of the situation once again (now an over five months old issue).
When clients call me fix their Wordpress sites I usually run this command first.
find `pwd` -type f \( -iname thumb.php -or -iname timthumb.php \) -exec grep -HP 'define ?\(.VERSION' {} \;
Consider any timthumb.php script oder than 2.0 hackable. Each older than 2.0 will need to be replaced respectively.
Best Wishes,
Jim Walker
|
Posted by gold2, 02-19-2012, 02:54 AM |
Thank you for clarification
i just run this command but after some second nothing found any thing
root@server2 [~]# find `pwd` -type f \( -iname thumb.php -or -iname timthumb.php \) -exec grep -HP 'define ?\(.VERSION' {} \;
root@server2 [~]#
|
Posted by brianoz, 02-19-2012, 08:43 AM |
I was about to ask whether anyone knew which versions would cause trouble - thanks for that answer.
Is it sufficient just to overwrite any version of timthumb.php on the server with a new version?
|
Posted by brianoz, 02-19-2012, 08:45 AM |
Run it from /home. ie: run this first: or simply change the find `pwd` part to be find /home
|
Posted by pmabraham, 02-19-2012, 11:38 AM |
Good day:
http://timthumb.googlecode.com/svn/trunk/timthumb.php is the most current version.
If you are using WordPress, then log into WordPress as the admin user, and perform any updates to WordPress, themes, plugins, etc.
Then run the find command ( well written except I would have simplified it with just a . in place of the call to pwd --> find . -type f \( -iname thumb.php -or -iname timthumb.php \) -exec grep -HP 'define ?\(.VERSION' {} \; ) to see what it finds.
Of note, Thesis might show up, and if so, at least from one of our clients who use Thesis (WordPress Framework) the version, while lower than 2.x, is secured from these types of attacks / vulnerability.
Thank you.
|
Posted by fshagan, 02-19-2012, 02:05 PM |
Are you getting slammed with requests for "TimThumb" by hackers looking for vulnerabilities, even though you do not have the script on your site? That looks like what's happening to me.
It doesn't matter how updated it is if you are getting what amounts to DDoS-level requests for the old, un-updated file. To protect against that, a good set of mod_security rules will help block the IPs that try to hammer your server.
|
Posted by gold2, 02-21-2012, 12:42 PM |
Thank you all guy for reply
pls check attach still attack on timthumb.php or thubm.php but when i check same location i con't find any these location
and i con't find any thumb.php or timthumb.php on hole account
?????????
Attached Thumbnails
|
Add to Favourites Print this Article
Also Read