WordPress TimThumb.php Exploit is a complete Bitch to Remove!

So I hate to admit it, but most of the sites that we host were affected by what is to-date the gnarliest wordpress exploit I have ever seen.  We have been harrassed a few times by script douches who dick around with the most common wordpress exploits (namely, outdated versions of the software), but we just recently went through and made sure that ALL instances of WP were running current versions.  Well out of nowhere we realize that most of our sites are redirecting to russian spam porn URL’s from search engine results.  If you go directly to the site URL’s, however, they resolve fine.

Upon some investigation into the .htaccess files, it turns out there was tons of malicious code being added to control the redirects.  The first thing I thought was: easy, just remove this junk code and we’re good.  So I spend 30 minutes editing .htaccess files on all my instances, and think that the problem is solved.  I come back a few hours later to find that ALL of my changes have been overwritten, and the malicious code is back in place.  Fucking frustrating!

Now Evan and I spent hours and hours digging through blog posts, and wordpress forums to find some help here.  even our web host (hostmonster) was absolutely no help, and most of the forum posts were just people referring others back to the same typical bullshit “how to clean your hacked wordpress site” posts that share the same general logic but don’t address the specific issue here.

So, back to more and more digging.  Couldn’t find anything on the specific URL we were redirecting to.  Grepp’d all of our sites to find it and its only mentioned in the .htaccess files.  Then, I stumble across a sliver of information that mentions the redirect is being handled by a script that may reference “Web Shell by oRb” OR a script called “FilesMan“.  I set to grep’ing for these references, and what do you know – we found FilesMan.  It was hidden in a php file hidden deep in a Joomla install (/modules dir if I remember correctly) and was called something like wp-12487372.php.

This little bastard had all of the code in it to handle the redirects and rewrites of EVERY .htaccess file on my server.

After finding that, we resolved the issue by deleting the file, and cleaning out every .htaccess file back to their original states (backups!) and installing a wordpress plugin on every site that addresses the TimThumb.php vulnerability.  Its called Tim Thumb Vulnerability Scanner, and I suggest you use it.  It will find any instance of the file and upgrade them to the latest versions that don’t have the exploit.  Then I started installing the Bulletproof Security WordPress Plugin that pretty much locks down your .htaccess files.  I’m determined to make sure this never happens again!

Here are some additional notes that I found from researching across the web on ways to resolve this .htaccess redirect issue:

  • These dirtbags will leave backdoors so that they can re-infect you hours after cleaning this out in the form of the following files: _wp_cache.php sm3.php or wp.php.  If you look at these files you'll see they start with something like this:
  • <?php # Web Shell by oRb
    $auth_pass = "";
    $color = "#df5";
    $default_action = 'FilesMan';
    $default_use_ajax = true;
    $default_charset = 'Windows-1251'
  • In my particular case, I had to search for “FilesMan” in order to find it.  YMMV
  • So the prudent thing to do would be to scan all .php files(or all files in general if yuo were really wanting to be careful) and search for something unique about this file, ie: Windows-1251 or Web Shell by oRb like so:  find . -name “*.php” -exec grep -H ‘Web Shell by oRb’ ;\ -exec rm {} \;
  • Use that TimThumb plugin to fix all your vulnerabilities!  OR:
  • Grab the updated timthumb: wget http://timthumb.googlecode.com/svn/trunk/timthumb.php
  • find . -name “*thumb*.php”  -exec grep -H timthumb {} \; -exec cp timthumb.php {}

A few other resources to help in your un-hacking 🙂



%d bloggers like this: