TimThumb Hack (was WordPress 3.2.1 vanilla is FAR from secure…)

If it keeps happening after you’ve done that, scan your computer for viruses and consider moving to a new host.

It has not. Thanks for your time. This was an injection issue this time from a Russian hacker into the htaccess file. It is a known injection that WP can be vulnerable to. Nothing new just a new person injecting. The new version is open to it and fixed with the tips offered here. With the upgrade or install it opened me up and is now fixed. I am sure if anyone reads this thread they could easily fix it for them selves. Thanks again.

This was an injection issue this time from a Russian hacker into the htaccess file. It is a known injection that WP can be vulnerable to.

Sorry for popping back in late, but that doesn’t make sense.

If someone has compromised your WordPress blog account or hosting account, then sure, being able to write to a .htaccess file is possible. But that means they got your password somehow and that’s where the idea of checking your computer and host comes in.

If you ran a plugin or theme that had insecure code (it happens, see https://wpcandy.com/reports/timthumb-security-vulnerability-discovered as a recent example) then it’s an add-on and not WordPress. As I’ve said it happens and keeping up with this is work.

If a stock 3.2.1 installation was vulnerable to what you say it is, then we’d see user installs falling down like dominoes and that’s just not happening.

It is a known injection that WP can be vulnerable to.

Then stop posting and email the info to securityATwww.ads-software.com ASAFP.

But … I’ve never heard of an injection like that, and as none of the suggestions here have to do with patching WordPress’s core files, it’s not WordPress.

The fix looks like it’s done by locking down your .htaccess. Which is server level security.

LOL ok. Should be standard process as so many people out there do not know anything about that. Lucky you seem to. Most software like that comes with that integrated in already.

We bow to you bro.

Most software like that comes with that integrated in already.

Actually no ?? Most agnostic websoftware does not. It can’t. It’s not possible because every server is different. What works on Windows won’t work on Linux etc and so on. Lighttpd and nginx and Apache all have different requirements.

By Agnostic I mean software that can work on multiple server types, and NOT stuff like .net, which actually needs to be secured anyway outside of the app itself. Websoftware is not the same as your desktop software, and works by completely different rules.

I said my hosting provider and they have solved the problem for me.. guys you need to have good hosting provider all the time..

The problem I’m ran into is that the .htaccess files were modified. NOTE: they do not LOOK modified at first, but you should notice scroll bars which normally are not be there. That indicates that there is a lot more text in your file than you are currently seeing.

In case your hosting provider doesn’t help. Try this solution:

First CHMOD your .htaccess file from 444 to 644. (It appears that the files were turned 444 after the edit that caused the problem.)

Access (edit) your .htaccess file. MAKE A COPY! Then, clear it out. Add in something like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

AddType x-mapp-php5 .php

# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

# disable directory browsing
Options All -Indexes

#Protect .htaccess itself
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

# END WordPress

You can try checking this site https://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676 or others if you want to see additional tips on how to secure your .htaccess file.

Once you have saved your .htaccess file, save it.

This should now have fixed the problem above.

-Kimberly
https://www.silverwebdesigns.net

There’s a hack that hit a couple weeks ago. Here’s info about removing it. Search the directories it suggests for the files added by the malware:
https://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/

To be clear for folks, and to keep FUD down, this is not a CORE WordPress hack.

TimThumb has a vulnerability. We have known this for a week now. If you are, or have ever, used it, you MUST delete it or upgrade it ASAP. AND you should still scan your files AND change your passwords.

TimThumb 0-day vulnerability
Affected themes
SuperDomain information
SuperDomain followup

You can scan your site, free, at https://sitecheck.sucuri.net/scanner/

It’s safe to check. ??

One of my sites got hacked this weekend, so I wrote a post about how to look for the TimThumb scripts and clean up your WordPress install afterward: https://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/

We have been using WordPress 3.2.1 for about a year now and all was well, until we recently changed our theme to Twenty ELeven. This combination makes it easy for hackers to install a trojan on our .htaccess file. They did it via FTP server. Does anyone have any other ideas on how to secure our site in addition to the below? Our hoster advised to upgrade the WP version but if we do that I am worried we will lose All in One SEO Pack and its configuration. Has anyone had any experience upgrading to latest version and keeping All in One SEO Pack stable?
Our web hosting company suggested the following: change htaccess file to .txt, change all passwords (especially FTP server password), change default ‘admin’ in wordpress, disallow Directory Browsing, Secure wp-config.php, prevent script injection….and upgrading the version of WP to latest version.
Hope with experience of 3.2.1 hack can assist here.
Thanks,
Liv

See Hardening_WordPress.