TimThumb Hack Check Script

I was recently a victim of the timthumb vulnerability. At first I noticed some rogue PHP in all my index.php files, which I cleaned up. But it turned out they had already got in enough to re-hack in no time at all. This time it was my javascript files which all had some obstruficated code in them, causing every page load to make a request to some random site.

I had made some modifications to wordpress themes and such, so fixing it was not a simple case of nuking and re-installing everything. In the end I created local copies of all my sites with a fresh wordpress and fresh themes. Then I committed those to a local git repo and pulled down the live stuff over the top. Then a simple “git diff” (and a few hours of manually checking the differences) and I was pretty confident everything was clean.

I made a note of all the tricks that the hackers had tried, so I wrote a little bash script to check for any of those. Here it is, free for all to use:

echo -e "===BASE 64 DECODE==="
grep -R "base64_decode" *

echo -e "\n\n===JS var _0x HACK==="
grep -R "var _0x" *

echo -e "\n\n===UDP.PHP HACK FILE==="
find -name "upd.php"

echo -e "\n\n===PINGNOW (USER SNIFFING SCRIPT)==="
grep -R "pingnow" *

echo -e "\n\n===TIMTHUMB==="
find -name "*timthumb*"

echo -e "\n\n===hexdump_lines (IN HACK SCRIPT)==="
grep -R "hexdump_lines" *

I’ll go through these in order:

grep -R “base64_decode” *

I found this in all my index.php files with some crazy obstruficated code. This will almost certainly pull up other files in your server, but check each one to make sue it looks legit.

grep -R “var _0x” *

This was in a load of my javascript files the second time. You should have no results here (apart from the checking script) on a clean server.

find -name “upd.php”

I found some weird files called upd.php. These were full on massive PHP scripts. As far as I’m aware they pretty much gave a remote user in Russia shell access (via a web browser) to the entire server. If you find any of these files, check to make sure they are yours and not this hacking script.

grep -R “pingnow” *

This was found in settings.php - it was a user sniffing script. Make sure that all your wordpress users change their username and password, then get rid of the sniffing code wherever it is found.

find -name “*timthumb*”

First of all, delete all the timthumb tmp files that already exist. These could easily be compromised. Then running this script periodically should not show up anything weird.

grep -R “hexdump_lines” *

This is a line from the hacking script I mentioned above. In case they have renamed files something other than upd.php, run this to find the code potentially hidden in other files.

I now have this script running on a CRON job to email me every day to check everything is still fine and dandy. Looks like I’m still clean so far.

One final point - make sure you check EVERY LINE of files. I found a few where you would reach what looks like the end of the file, but they have added a couple of hundred blank lines, then their hacking code right at the bottom.