Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

I know I was hacked but need help with what to delete...

The ReviewWire

Recommended Posts

I downloaded AntiVirus on my Wordpress theme and found something fishy in timthum.php. I don't know what needs to be deleted or what to do next:


Any advise?



$this->myHost = preg_replace('/^www\./i', '', $_SERVER['HTTP_HOST']);

$this->src = $this->param('src');

$this->url = parse_url($this->src);

if(strlen($this->src) <= 3){

$this->error("No image specified");

return false;


if(BLOCK_EXTERNAL_LEECHERS && array_key_exists('HTTP_REFERER', $_SERVER) && (! preg_match('/^https?:\/\/(?:www\.)?' . $this->myHost . '(?:$|\/)/i', $_SERVER['HTTP_REFERER']))){

// base64 encoded red image that says 'no hotlinkers'

// nothing to worry about! :)

$imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");

header('Content-Type: image/gif');

header('Content-Length: ' . sizeof($imgData));

header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');

header("Pragma: no-cache");

header('Expires: ' . gmdate ('D, d M Y H:i:s', time()));

echo $imgData;

return false;



if(preg_match('/https?:\/\/(?:www\.)?' . $this->myHost . '(?:$|\/)/i', $this->src)){

$this->src = preg_replace('/https?:\/\/(?:www\.)?' . $this->myHost . '/i', '', $this->src);


if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){

$this->debug(2, "Is a request for an external URL: " . $this->src);

$this->isURL = true;

} else {

$this->debug(2, "Is a request for an internal file: " . $this->src);


if($this->isURL && (! ALLOW_EXTERNAL)){

$this->error("You are not allowed to fetch images from an external website.");

return false;




$this->debug(2, "Fetching from all external sites is enabled.");

} else {

$this->debug(2, "Fetching only from selected external sites is enabled.");

$allowed = false;

foreach($ALLOWED_SITES as $site){

if (preg_match ('/(?:^|\.)' . $site . '$/i', $this->url['host'])) {

$this->debug(3, "URL hostname {$this->url['host']} matches $site so allowing.");

$allowed = true;



if(! $allowed){

return $this->error("You may not fetch images from that site. To enable this site in timthumb, you can either add it to \$ALLOWED_SITES and set ALLOW_EXTERNAL=true. Or you can set ALLOW_ALL_EXTERNAL_SITES=true, depending on your security needs.");




Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...