TimThumb – Did you get hacked?

A couple days ago, I got an alert from my webhost that they had rebooted my server (I run Storm on Demand by Liquidweb). Their 24/7 monitoring team noticed high memory and CPU usage, and acted quickly to resolve the issue. I had no idea anything was happening, this all happened behind the scenes.

So what happened? I had an old, hackable version, of TimThumb on a theme that wasn’t even being used. Yes, that’s right. I had the php file in an old theme that wasn’t even active, but somewhere along the way, Google had indexed that TimThumb file and the hackers found it.

The hackers had loaded up PERL IRC bots that were using massive amounts of memory and CPU, which overloaded my server. My web host’s monitoring team caught it, rebooted my server, and patched the TimThumb files involved.

You need to be very careful about what files you may have in an old theme, because if one of them has a vulnerability in them, your site and/or server could be at risk. Make sure you stay on top of old themes and clear them out if you’re not using them. Or do what I did, I moved them to my ~/ directory so they can’t be accessed via the web.

Props to Sucuri for coverage on the hack. If you aren’t sure that you were hacked or if you’re clean, it’s a good idea to run a scan for your site.

Leave a Reply

Your email address will not be published. Required fields are marked *