There is a leak in old versions of TimThumb, read the article about it here. This week (started on august 22) many WordPress (with TimThumb) users encountered problems with there websites. Google marked there websites as a risk (including one of my websites).
The websites connected to counter-wordpress.com. The script/malware had the abbility to enter your database, create a database dump, play sounds (?), get your WordPress password and more.. With the curl_setopt function there were able to install php scripts on your server.
So for those who have problems, a quick guide to fix this. And for those who doesn’t have problems yet. Update TimThumb (latest version here)!
Fix this malware warning step by step:
- Remove code from your wp-config.php or upload a clean version.
- Inspect your wp-confip.php. They add like 3000 of empty Lines. Somewhere in the middle there is the malicious code. Delete it!
- Delete the files the injected with the curl_setopt function:
- Some WordPress users (I didn’t) found a ‘temp’ folder in there current theme folder with a file like eab9c5e9815adc4c40a6557495eed6d3.php, or something like that. Delete it.
- Update your WordPress if possible!
- Replace the following file with original files from a clean WordPress installation:
- wp-includes/js /l10n.js
- * If you have problems overwriting them, delete them first (on your FTP) and then upload the new file
- Replace timthumb with the latest version
- Change your FTP password
- Change your DB password and change it in wp-config.php
- If Google is warning your visitors (right above the result description in the SERP). Login to webmastertools and ask for a review. It should be gone in 24 hours
- To be sure check your website with these tools:
- You’re done!
Hopefully your site will be clean after your followed the steps above. Did you found other suspisious thing please let me know by writing a comment.