I’ve been doing a bit of work lately killing off the “TimThumb” attack in some WordPress blogs, which was due to the TimThumb image manipulation program that is installed in some WordPress themes and plugins. I’ve found it in the “IGIT Related Posts” plugin on the sites I have worked with, but it can be used in themes and other plugins. It’s not a fault in WordPress itself, but in the plugins and themes that have the vulnerability.
I use the Atahualpa theme in all of the WordPress blogs that I set up, and I know that the TimThumb code is not used in that theme. I did see one site where the owner had been using the IGIT plugin, which puts a ‘related posts’ at the bottom of a post.
The first indication that the owner found was when he was getting an ‘header already sent’ error while trying to log into the WP admin page. Here’s a list of things that I found helpful in finding and getting rid of the problem. Some of these are a bit technical, so tread carefully. And this list is not complete, as the attack is changing daily.
What to look for
1) Look for error messages when you try to get to your WordPress admin login page.
2) Do a View Source of your main/home page, and look at the end of the file for anything that is after what your normal footer looks like.
3) Look at your index.php file in the root of your WordPress site. And page through the entire file. I found one with lots (2000+) of blank lines then the viral code then more blank lines.
4) Look at the wp-config.php and wp-settings.phps file for anything out of the ordinary.
5) Look for any file called ‘timthumb.php” throughout your web site folders.
6) Scan your web site with the tool located here: http://sitecheck.sucuri.net/scanner/
Some remediation that I have done
1) Disable then delete the “IGIT” or “Tom Thumb” plugins. Make sure you delete the files.
2) Change your administrative-level passwords.
3) If you have a user called ‘admin’, change that password. Then create a new administrative-level user, log in as that new user, and then delete the ‘admin’-named user.
4) Update all plugins
5) Update your WordPress files to the latest version (this may fix the added code in index.php and other files.
6) Consider changing the WP database user/password (this is a bit complex, and if you do it wrong, you can break your blog).
7) Change the password for your host login
8) Change the user/password for any FTP accounts (get rid of any extra FTP accounts)
This attack is a bit widespread; at the moment it is not damaging, but that can change. There are some other security things you can do to lock down your WordPress site, some of them more technical than others.
But, all important.