Timthumb Vulnerability Scanner
Scans your wp-content directory for vulnerable instances of timthumb.php, and optionally upgrades them to a safe version.
The recent Timthumb.php vulnerability (discussed here) has left scores of unsuspecting bloggers hacked. It's the perfect combination of not so easy to fix for the technically disinclined, and easy to find and exploit for the malicious - resulting in a disastrous number of compromised sites.
The Timthumb Vulnerability Scanner plugin will scan your entire wp-content directory for instances of any outdated and insecure version of the timthumb script, and give you the option to automatically upgrade them with a single click. Doing so will protect you from hackers looking to exploit this particular vulnerability.
After new, lesser vulnerabilities were found, it became apparent that the plugin needs to be dynamic - able to keep you up to date with the latest version of timthumb, without requiring a plugin upgrade. The plugin now checks for the latest available version of timthumb routinely (each time you visit the scanner page, but no more than once a day), and can download and install the latest version, rather than the one included with the plugin. Scans are run daily (unless you disable them via the options link on the scanner page) via wp-cron to keep up with any new plugins or themes you've installed.
More info at CodeGarage.
Special thanks to Jacob Gillespie for help with the bulk upgrade feature.
After clicking "Scan!", you'll be presented with a list of all instances of timthumb on your server. Outdated or Unsafe instances are marked as such. Clicking "Upgrade Selected Files" will update selected files to the latest available version of timthumb available on http://code.google.com/p/timthumb/.
- Upload the
timthumb-vulnerability-scanner to the/wp-content/plugins/` directory (alternatively, you could use the backend WordPress plugin installer, or install directly from the repository)
- Activate the plugin through the 'Plugins' menu in WordPress
- Visit the "Timthumb Scanner" page under the "Tools" Menu
- Blocked direct access to all PHP plugin files
- Made sure alerts are only shown when user is viewing in admin
- Added support for Windows servers
- Fixed bug with version check which implied 2.8.10 was older than 2.8.5
- Added a daily automatic scan
- Added alerts across the admin section when vulnerable or outdated files are found
- Fixed issue with updating timthumb src file
- Largely rewrote codebase to clean up code.
- Added functionality to download latest version of timthumb rather than relying on static version included in plugin.
- Added functionality to check if there is a newer version of timthumb available.
- Added scan to find obvious evidence of intrusion using timthumb exploit.
- Updated formatting to conform with WP coding standards, added bulk upgrade feature (Thanks to Jacob Gillespie!).
- Updated scanner to more reliably find versions of timthumb - avoids conflict with plugin "Category Icons".
- Updated scanner to find really old versions of timthumb.
- Initial Commit.
What does this look for specifically?
The scanner checks for all instances of timthumb it can find. It doesn't just check filename - it looks for code inside the file, ensuring that regardless of what a theme or plugin developer has named the file, it will be caught.
Where does it look for them?
The entire wp-content directory (even if it's not called wp-content) is scanned, including plugins, themes, and uploads.
I think I've already been hacked - will this clean it up?
No. This plugin exists to make sure your door is locked, not drag the burglers out of your house. It will run some cursory checks to see if a hacker has likely already hit your site, but has no functionality to clean up the problem.
If you've already been hacked, all is not lost - there are people out there who will clean up your site for a fee. Get in touch here: http://codegarage.com/hack-cleanup