Warning: Found suspicious file timthumb

Hey guys

I added this theme to BlogLines.co.za and after running sucuri_wp_check.php i get this err below

Please update the theme so it use the new code for timthumb

Checking your WordPress install…

By Sucuri.net – Questions? Contact support@sucuri.net

Warning: Found suspicious file (timthumb or uploadify): ./wp-content/themes/network/library/functions/timthumb.php

  • Hakan
    • The Incredible Smush

    Hi Mark,

    timthumb.php had a security exploit which was discovered around August 2011, but in short time it was fixed. If you have an old version (version 1 something, which has only one author name: Ben Gillbanks), you should update it using this link:

    http://code.google.com/p/timthumb/

    If you see two authors name inside the file (Ben Gillbanks and Mark Maunder), then that is a false positive alarm.

    Edit: Sorry I didn’t notice that you are talking about Network theme. I’ve just checked the version, that is a safe timthumb.php. In other words, the warning is false. You can just ignore it.

    Cheers,

    Hakan

  • Mark de Scande
    • Syntax Hero

    @hakan Thank you for getting back to me so super fast :slight_smile:

    The problem is after adding the theme to BlogLines.co.za and then running the script that gave me the report the BlogLines.co.za system went down as modsec and csf locked the account :slight_frown: i have removed the cool theme and BlogLines.co.za was back up again :slight_smile:

    I am looking at the err logs to see if i can not give you more info all i can see is modsec blocks timthumb.php

    Any way if any other user pick up the same bug let me know.

    Ps @hakan is there no way to just use the theme with out timthumb.php ?

  • Mason
    • DEV MAN’s Sidekick

    Hiya Mark,

    Securi is always looking for the most recent version of timthumb which is why the error comes up. The version provided with Network is totally safe (as Hakan mentioned. Since timthumb is updated more frequently than our own theme cycle we won’t always have the latest version – you can get around this by downloading the latest version from the link Hakan provided and overwrite the version in our theme.

    Head over to network/library/functions/timthumb.php

    After that, you should be good to go with securi :slight_smile:

    Thanks!

  • SooBahkDo
    • Syntax Hero

    Hello,

    You might also consider running the plugin TimThumb Vulnerability Scanner by Peter Butler which monitors your entire site for any instances of vulnerable versions and provides a one click update procedure to automatically replace the older versions with the newest version.

    Runs flawlessly for us and when adding new plugins and themes for testing it quickly advises of vulnerable versions.

    We have also identified certain hackers that scan our sites for dozens of specific themes and plugins that I guess they know have the vulnerable versions of TimThumb included in them and they just hope we installed one of them.

    Best wishes,

    Phil D

  • Hakan
    • The Incredible Smush

    Hi Mark,

    I’ve just noticed that there are 2 lines on top of timthumb.php of Network theme which don’t exist in the original file.

    So if you decide to update it, do not forget to add these two lines on the top of the new file:

    $multisite = get_request ('multisite', 'false');
    $blogdirid = get_request ('blogdirid', 0);

    Cheers

    Hakan

    `

  • Hakan
    • The Incredible Smush

    Hi Mark,

    I think there is a misunderstanding about the the current situation. There is no bug in Network theme. This exploit only affects certain versions of timthumb (V1.33+ to V2.0-). In Network theme an earlier version is used (V1.19).

    I worked about the results of this exploit and cleaned many sites. So I do know what I am talking about.

    The real bug is coming from your scanner program that cannot distinguish between safe and non-safe versions.

    Details are here:

    http://www.hebtech.co.uk/blog/timthumb-exploit-and-fix-package-tim-scan/

    But of course, timthumb version will be updated in the first update of Network theme.

    You asked an immediate response and we just advised what you can do yourself at once, in case you don’t feel comfortable about it.

    Cheers,

    Hakan

  • Mark de Scande
    • Syntax Hero

    Ok guys i am going to say this nicely please take my comments to hart :slight_smile:

    1) The script http://timthumb.googlecode.com/svn/trunk/timthumb.php look at line 124 – 137 bad code

    2) Your script picks up errs

    3) Replace your script with this one http://pastiebin.com/?page=p&id=4fb751095ef28

    I still need to add these lines (have no idea of were to add them)

    $multisite = get_request (‘multisite’, ‘false’:wink:;

    $blogdirid = get_request (‘blogdirid’, 0);

    http://bloglines.co.za/tim-scan.php

    http://bloglines.co.za/sucuri_wp_check.php

    Please take note i did not wright the code it was used on one of my site games4.co.za / LeetPress: timthumb.php and it works on there site

    http://games4.co.za/sucuri_wp_check.php

    So i guess what i am asking is to rework the timthumb.php please so it works with my server :slight_smile:

  • Mason
    • DEV MAN’s Sidekick

    Hiya folks,

    Just noting that we are looking into this. Obviously if we can add the defines via an external file/function the default script can be updated without any issues.

    We’ll have an update out that allows for this as soon as possible.

    Thanks!

  • Mark de Scande
    • Syntax Hero

    1) http://bloglines.co.za/sucuri_wp_check.php (No issues found. Completed.)

    2) http://bloglines.co.za/wp-admin/network/theme-install.php (used to upload to the site)

    3) I then networked enabled the theme

    4) http://bloglines.co.za/sucuri_wp_check.php Then i ran Warning: Found suspicious file (timthumb or uploadify): ./wp-content/themes/network/library/functions/timthumb.php

    5) Activate it on http://cashin.bloglines.co.za/ and got a server err

    Server error

    The website encountered an error while retrieving http://cashin.bloglines.co.za/wp-admin/themes.php?activated=true. It may be down for maintenance or configured incorrectly.

    Here are some suggestions:

    Reload this webpage later.

    HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request.

    Looking at the err logs i dont see any errs

    6) Deleted the file and the site http://cashin.bloglines.co.za/ is back up

    7) http://bloglines.co.za/sucuri_wp_check.php (No issues found. Completed.)

    Thanking you kindly

    Mark de Scande

    optimize / scrutinize / re-energize

    Mark de Scande

    http://www.bloglines.co.za

    +27 (0) 723040097

    “procrastination is the thief of time”

  • Mark de Scande
    • Syntax Hero

    1) Checking your WordPress install…

    By Sucuri.net – Questions? Contact support@sucuri.net

    Warning: Found suspicious file (timthumb or uploadify): ./wp-content/themes/network/library/functions/timthumb.php

    2) 500 err still :slight_frown:

    Had a look at all logs and no luck

    Had a look at ModSec no luck

    [05-Jun-2012 03:26:06 UTC] WordPress database error Duplicate entry ‘nortel’ for key ‘slug’ for query INSERT INTO wp_site_terms (name,slug,type) VALUES (‘Nortel’,’nortel’,’post_tag’:wink: made by wp_xmlrpc_server->serve_request, IXR_Server->IXR_Server, IXR_Server->serve, IXR_Server->call, wp_xmlrpc_server->mw_newPost, wp_insert_post, do_action, call_user_func_array, post_indexer_post_insert_update, SharDB->query

    [05-Jun-2012 06:46:06 UTC] WordPress database error Duplicate entry ‘hifonics’ for key ‘slug’ for query INSERT INTO wp_site_terms (name,slug,type) VALUES (‘Hifonics’,’hifonics’,’post_tag’:wink: made by wp_xmlrpc_server->serve_request, IXR_Server->IXR_Server, IXR_Server->serve, IXR_Server->call, wp_xmlrpc_server->mw_newPost, wp_insert_post, do_action, call_user_func_array, post_indexer_post_insert_update, SharDB->query

    [05-Jun-2012 06:48:06 UTC] WordPress database error Duplicate entry ‘vivitek’ for key ‘slug’ for query INSERT INTO wp_site_terms (name,slug,type) VALUES (‘Vivitek’,’vivitek’,’post_tag’:wink: made by wp_xmlrpc_server->serve_request, IXR_Server->IXR_Server, IXR_Server->serve, IXR_Server->call, wp_xmlrpc_server->mw_newPost, wp_insert_post, do_action, call_user_func_array, post_indexer_post_insert_update, SharDB->query

    [05-Jun-2012 06:50:53 UTC] PHP Warning: require(/home/blogline/public_html/wp-content/themes/network/library/functions/conditional-functions.php) [function.require]: failed to open stream: No such file or directory in /home/blogline/public_html/wp-content/themes/network/functions.php on line 22

    [05-Jun-2012 06:50:53 UTC] PHP Fatal error: require() [function.require]: Failed opening required ‘/home/blogline/public_html/wp-content/themes/network/library/functions/conditional-functions.php’ (include_path=’.:disappointed:usr/lib/php:disappointed:usr/local/lib/php’:wink: in /home/blogline/public_html/wp-content/themes/network/functions.php on line 22

    [05-Jun-2012 06:50:54 UTC] PHP Warning: require(/home/blogline/public_html/wp-content/themes/network/library/functions/conditional-functions.php) [function.require]: failed to open stream: No such file or directory in /home/blogline/public_html/wp-content/themes/network/functions.php on line 22

    [05-Jun-2012 06:50:54 UTC] PHP Fatal error: require() [function.require]: Failed opening required ‘/home/blogline/public_html/wp-content/themes/network/library/functions/conditional-functions.php’ (include_path=’.:disappointed:usr/lib/php:disappointed:usr/local/lib/php’:wink: in /home/blogline/public_html/wp-content/themes/network/functions.php on line 22

  • aecnu
    • WP Unicorn

    Greetings Mark,

    If it is only me complaining then lets not stress about the cool network theme if it works on your WordPress setup then i would say my server setup is not compatible.

    Hey buddy, it would not be my opinion that your server setup is not compatible, but more likely or accurately that one of the security protocols is not compatible or giving a false positive.

    And FYI, there are indeed many folks running the Network theme and I have on occasion without issue.

    You know Mark I am always on the members side in resolving any issue they may have regardless of the reason.

    Cheers my friend, Joe

  • Mark de Scande
    • Syntax Hero

    @aecnu you are right :slight_smile: but i am not changing the server security to make my server compatible with one theme.

    It is easy any theme should work out the box with any server setup.

    Again i love the theme but i am not going to compromise my setup just for one theme all the other themes from WPMUDEF works perfectly in fact all themes works perfectly so why change the server security for one theme.

    I hope that you see my point in all of this :slight_smile:

    Ps one more customer

    https://premium.wpmudev.org/forums/topic/timthumb-exploit-in-network-theme

  • aecnu
    • WP Unicorn

    Greetings Mark,

    Thank you for your input as always and as you are probably aware I am serious when it comes to server security like you :slight_smile: for obvious reasons on both of our interests.

    I have checked into the link and it certainly is telling – the host report says:

    To prevent being compromised, we advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files. Note that patching the files requires more in-depth knowledge of the PHP scripting language.

    The key in there statement for Networks is update all instances of timthumb.php to version 2.0 and the version that comes with Network theme is indeed version 2.0 – I checked it myself.

    Please advise if you are indeed seeing a different version the 2.0?

    Network –> Library –> Function –> timthumb.php

    Cheers, Joe

  • Mark de Scande
    • Syntax Hero

    Yes it is version the 2.0

    The bottom line the theme don’t work on my server.

    I have tried every thing and i cant get it to work.

    It is only my server and blue host complain so i would say our server security is set up super tight i mean we have the following mods on the server

    1) CSF

    2) suhosin

    3) ModSec

    Lots of tricks.

    to any of the outer guys that is running this theme if you also have problems let us know .

    I have set this ticket to close

    Thank you guys again for helping out .

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.