The recent vulnerablity found in the popular timthumb.php image resizer has hit websites worldwide pretty hard. Pretty easy to deal with if you are just running your own site – just replace the script with the latest version from the source.
If you are running a hosting company, then you have either mitigated the issue somehow, or your helpdesk is probably still hung over from the after effects of exploited timthumb scripts.
So, cutting to the chase, here’s a script that I have used to run through whole cPanel based servers, looking for files called timthumb.php or thumb.php, which contain the text “timthumb” (almost every instance I have seen of the script contains this code in it somewhere).
It then moves/renames the file to something safe, and copies over the latest source from a location you can tweak in the script, and then sets the ownership and permissions correctly (assuming you are running suPHP).
The bash script:
Obviously, the usual disclaimers apply here – You are free to use this script, but NO responsibility can be accepted for anything that goes wrong if you choose to!
This is actually version 2, as it were – I have modified the script so that it now looks for the version number within the script and only updates versions that do not match those shown in the if statement.
#!/bin/bash
IFS="$"
###################################################################
## timthumb correction ##
###################################################################
GOODTHUMB="/root/scripts/timthumb.php"
###########################
## Assign temp file ##
###########################
TMPFILE="/tmp/healthchk.$$.tmp"
if [ -f ${TMPFILE} ]; then
rm -f ${TMPFILE}
fi
# set pwd to tmp
cd /tmp
###########################
## Create temp file ##
###########################
setup_temp_file() {
if [ -e $1 ]; then
rm -f $1
fi
/bin/touch $1
/bin/chown root:root $1
/bin/chmod 0600 $1
}
##########################################################
## SCRIPT BEGINS HERE ##
##########################################################
echo "This script will check all home directories for timthumb..."
unset CPUSER CPHOME
/bin/ls -- /var/cpanel/users | /bin/grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do
CPHOME="$(/bin/grep "^${CPUSER}:" /etc/passwd | cut -d':' -f6)/public_html"
echo -e "\nChecking user ${CPUSER} - home directory = ${CPHOME}"
echo "Checking ${CPHOME} ... "
if [ -d ${CPHOME} ]; then
#####################################
## Start looking for timthumb! ##
#####################################
setup_temp_file ${TMPFILE}
/usr/bin/find ${CPHOME} -type f \( -iname "timthumb.php" -o -iname "thumb.php" \) >> ${TMPFILE} 2> /dev/null
/bin/cat -- ${TMPFILE} | while read TARGET; do
# every version of the script I have seen contains the string timthumb somewhere
ISITBUTTER="$(/bin/grep -i timthumb ${TARGET} )"
THEVERSION="$(/bin/grep -o "VERSION.*'[0-9\.]*'" ${TARGET} | /bin/grep -Eo "[0-9].[0-9]+" )"
if [ ${#THEVERSION} -gt 1 ]; then # prevent crash on empty variable in next if test
# You can modify the versions to accept (i.e. not modify) below
if [ ${#ISITBUTTER} -gt 1 -a ${THEVERSION} != "2.8" -a ${THEVERSION} != "2.7" ]; then
echo "Found one!: ${TARGET} version ${THEVERSION}"
mv ${TARGET} "${TARGET}._removedbykrystal"
cp ${GOODTHUMB} ${TARGET}
/bin/chown ${CPUSER}:${CPUSER} ${TARGET}
/bin/chmod 640 ${TARGET}
fi
fi
done
fi
done
## Clean up any trace
if [ -e ${TMPFILE} ]; then
rm -f ${TMPFILE}
fi
