the tim thumb google warnings and hack attacks solution

Google  showing you site as malicious or infected and spreading malware . The tim thumb  vulnerability must have been exploited on your blog .

Malware warnings by google  counter wordpress on your blog

Here is what you can do to get this fixed

To prevent your site from being blocked and restored to normal do the following

  1. Remove all old plugins and themes you aren’t using.
  2. Upgrade all your plugins and themes to the latest versions and make sure none of them use an old version of Timthumb.
  3. Clean any Timthumb cache directories.
  4. Upgrade your entire wordpress installation, even if it’s at the latest version. This overwrites all wordpress files.
  5. Search your directory tree for any remaining suspicious files that contain base64_decode wrapped in an eval() statement or URL encoded data. More info on how to do this search here. Delete any files you find. NOTE: If you don’t find any additional infected files in this step, it’s highly likely that your site is not clean. Every attack that I’ve seen so far using Timthumb gets in by uploading a file into the cache directory and then uploads an additional file into a writeable directory on the blog to ensure continued access once the cache is cleaned. Make sure you find that additional file.
  6. Make sure the only directory that is writeable in your wordpress installation is wp-content/. Directories like wp-admin and wp-includes should be read only by the web server.

Links for fixing your website  :

http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/

You can grab the latest TimThumb.php code here:

http://timthumb.googlecode.com/svn/trunk/timthumb.php

http://25yearsofprogramming.com/blog/20071223.htm

http://wordpress.org/support/topic/malware-counter-wordpresscom-warning-on-chrome

http://www.nixta.co.uk/2011/08/news-major-wordpress-hack-via-timthumb-upgrade-immediately/

To repair a blocked site

    1. complete the steps above
    2. request a relisting through Google webmaster tools. info on being relisted here
    3. the process takes 24 hours to be cleaned.
    4. You can find out more about Google’s Malware list and safe browsing report on this page.

If you site has been hacked due to the tim thumb vulnerability its quite likely that Google must be blocking your site when you view it through chrome browser  and you see the following 2 images below

If you try to visit your site, you are confronted with the following image:

“This site may harm your computer”

These sites are listed with the warning that “This site may harm your computer” in Google’s search results and Google blocks access to the site with a warning forcing you to manually type the URL into your location bar if you really do want to visit the site:

Plugin affected  by timthumb attack IGIT Related posts

IGIT Related Posts With Thumb Image After Posts version 3.9.7 with WordPress 3.2.1 is vulnerable to phpRemoteView Attack. 2 of client’s site were compromised recently. We checked it thoroughly and found IGIT plugin is the source of injection. More details here

Some sites have been repeatedly hacked with backdoors placed on the server. Malware entry: MW:ANOMALY:SP7 can be seen on some . It places an EVAL script in many places throughout sites.

There have been instances of the files from the theme getting infected with malware code, especially files like: index.php, footer.php. Sometimes  the real culprit is hiding in the htaccess file in the root folder. Basically, the hacker rewrites the file with mod_rewrites that redirect to Russian sites.

Check the htaccess file (for those not in the know, select the option view hidden files in your ftp software, get rid of the dot at the beginning, download and open in a text editor. When you make changes and upload, don’t forget to rename back to .htaccess).

At first, it looks normal, but if you scroll down or to the right, you see whole bunch of rewrite conditions, pointing to some hacker site, or whatever.

Here’s a WP forum post on the issue. Goes into more detail.
http://wordpress.org/support/topic/plugin-add-link-to-facebook-links-are-hijacked-to-softwarepromoru

Also found an extra file in the theme script folder that didn’t belong there. Deleted it. Deleted them. Then checked every plugin that was active against freshly downloaded copies of the plugin. Found 3 extra files in the Akismet folder that didn’t belong there.

Basically, then replace your WP and theme files, delete anything not in use (themes, plugins: Basically, harden your site. See WordPress advice on it:
http://codex.wordpress.org/FAQ_My_site_was_hacked

 

 

We will be happy to hear your thoughts

Leave a reply