Archive | August, 2011

Find and replace all timthumb.php on server – bash script

The recent vulnerablity found in the popular timthumb.php image resizer has hit websites worldwide pretty hard. Pretty easy to deal with if you are just running your own site – just replace the script with the latest version from the source.

If you are running a hosting company, then you have either mitigated the issue somehow, or your helpdesk is probably still hung over from the after effects of exploited timthumb scripts.

So, cutting to the chase, here’s a script that I have used to run through whole cPanel based servers, looking for files called timthumb.php or thumb.php, which contain the text “timthumb” (almost every instance I have seen of the script contains this code in it somewhere).

It then moves/renames the file to something safe, and copies over the latest source from a location you can tweak in the script, and then sets the ownership and permissions correctly (assuming you are running suPHP).

The bash script:

Obviously, the usual disclaimers apply here – You are free to use this script, but NO responsibility can be accepted for anything that goes wrong if you choose to!

This is actually version 2, as it were – I have modified the script so that it now looks for the version number within the script and only updates versions that do not match those shown in the if statement.

#!/bin/bash
IFS="$"
###################################################################
##  timthumb correction                                          ##
###################################################################
 
GOODTHUMB="/root/scripts/timthumb.php"
 
###########################
##  Assign temp file     ##
###########################
TMPFILE="/tmp/healthchk.$$.tmp"
if [ -f ${TMPFILE} ]; then
   rm -f ${TMPFILE}
fi
 
# set pwd to tmp
cd /tmp
 
###########################
##  Create temp file     ##
###########################
setup_temp_file() {
  if [ -e $1 ]; then
     rm -f $1
  fi
  /bin/touch $1
  /bin/chown root:root $1
  /bin/chmod 0600 $1
}
 
##########################################################
##  SCRIPT BEGINS HERE                                  ##
##########################################################
 
echo "This script will check all home directories for timthumb..."
 
unset CPUSER CPHOME
 
/bin/ls -- /var/cpanel/users | /bin/grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do
   CPHOME="$(/bin/grep "^${CPUSER}:" /etc/passwd | cut -d':' -f6)/public_html"
   echo -e "\nChecking user ${CPUSER} - home directory = ${CPHOME}"
   echo "Checking ${CPHOME} ... "
   if [ -d ${CPHOME} ]; then
 
     #####################################
     ## Start looking for timthumb!     ##
     #####################################
     setup_temp_file ${TMPFILE} 
 
     /usr/bin/find ${CPHOME} -type f \( -iname "timthumb.php" -o -iname "thumb.php" \) >> ${TMPFILE} 2> /dev/null
     /bin/cat -- ${TMPFILE} | while read TARGET; do
         # every version of the script I have seen contains the string timthumb somewhere
        ISITBUTTER="$(/bin/grep -i timthumb ${TARGET} )"
        THEVERSION="$(/bin/grep -o "VERSION.*'[0-9\.]*'" ${TARGET} | /bin/grep -Eo "[0-9].[0-9]+" )"
        if [ ${#THEVERSION} -gt 1 ]; then # prevent crash on empty variable in next if test
            # You can modify the versions to accept (i.e. not modify) below
            if [ ${#ISITBUTTER} -gt 1 -a ${THEVERSION} != "2.8" -a ${THEVERSION} != "2.7" ]; then
                echo "Found one!: ${TARGET}    version ${THEVERSION}"
                mv ${TARGET} "${TARGET}._removedbykrystal"
                cp ${GOODTHUMB} ${TARGET}
                /bin/chown ${CPUSER}:${CPUSER} ${TARGET}
                /bin/chmod 640 ${TARGET}
            fi
        fi
     done
 
   fi
done
##  Clean up any trace
if [ -e ${TMPFILE} ]; then
   rm -f ${TMPFILE}
fi