Server Setup – Journal of PlanetMike

New Attacker URLs

Michael Clark — Sat, 31 Aug 2013 12:03:06 +0000

An attacker scanned my web sites this morning for URLs including these files. 7b1d91231a87fb75e0054e886a0dea57

zboard.php
logx.txt
wp-includes/wp-script.php
wp-includes/wp-services.php
wp-includes/class-wp-customize-client.php
thumb_editor.php
wp-includes/jahat.php
wp-content/uploads/images.php

None of these files are part of a WordPress installation. So if you see them in your system, give it a much closer look to see if something bad is happening on your site. Check your logs, and look at the file itself (but not through your browser, but offline!).

Today’s attacker came from 178.77.99.29 (hca-erfurt.de.), which is in Germany.

198.136.50.162 06/Dec/2019:01:57:41

Copyright © 2019 Journal of PlanetMike. This Feed is for personal non-commercial use only. If you are not reading this material at http://www.planetmike.com/ or in your news aggregator, the site you are looking at is guilty of copyright infringement. Please contact copyright@planetmike.com so we can take legal action immediately.

WP-Login.php Attempts for May 16, 2013

Michael Clark — Fri, 17 May 2013 15:55:28 +0000

I logged over 3,000 attempts to login to my WordPress sites on May 16th. Luckily, they were mostly immediately blocked, added to my firewall. The list of 1,501 different attacking IP addresses can be found here. 7b1d91231a87fb75e0054e886a0dea57

So far today (Friday the 17th) I have logged over 1,800 attempts to log into my sites via wp-login.php.

WP-Login.php Attempts for May 15, 2013

Michael Clark — Thu, 16 May 2013 11:11:46 +0000

Yesterday I logged over 2,200 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 1,473 different attacking IP addresses can be found here. 7b1d91231a87fb75e0054e886a0dea57

So far today (Thursday the 16th) I have logged over 1,000 attempts to log into my sites via wp-login.php.

WP-Login.php Attempts for May 14, 2013

Michael Clark — Wed, 15 May 2013 13:10:32 +0000

Yesterday I logged over 4,500 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 3,340 different attacking IP addresses can be found here. 7b1d91231a87fb75e0054e886a0dea57

So far today (Wednesday the 15th) I have logged over 800 attempts to log into my sites via wp-login.php.

WP-Login.php Attempts for May 13, 2013

Michael Clark — Tue, 14 May 2013 18:40:25 +0000

Yesterday I logged over 7,000 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 4,033 different attacking IP addresses can be found here. The attack started at 2:50 in the afternoon on Monday the 13th. Sunday I received only six attempts, so classifying this as an attack is definitely appropriate. 7b1d91231a87fb75e0054e886a0dea57

So far today (Tuesday the 14th) I have logged over 2,800 attempts to log into my sites via wp-login.php. And that number has increased by 25 in the time it’s taken me to type these few sentences.

Login Attempts to wp-login.php

Michael Clark — Thu, 15 Nov 2012 12:59:07 +0000

While checking out my apache server logs last week, I noticed that one of my older sites was getting a fair amount of login attempts to wp-login.php from all over the world. So I started grabbing the login information to see what they were trying. The next batch of attacks lasted 23 minutes. The username was always “admin” and the testcookie was always “1”. Here are the passwords: 7b1d91231a87fb75e0054e886a0dea57

example.org123
example
password1
test123
12345
admin
password
admin1
qwerty123
admin111
pass
life777
123456
password123
abc123
admin123
example.org

I replaced the actual domain name with “example” in the above list. If you are using any of those passwords, you may want to consider changing it.

The user-agent doing the probe was always “Mozilla/3.0 (compatible; Indy Library)”. The attacks came from these IP addresses. I assume they were running some form of infected Windows operating system.

110.153.9.250: Host 250.9.153.110.in-addr.arpa. not found: 3(NXDOMAIN) (China)
120.50.0.61: 61.0.50.120.in-addr.arpa domain name pointer ws4-tunghai-grp-telnet.com.bd. (Bangladesh, not assigned?)
202.70.136.158: Host 158.136.70.202.in-addr.arpa. not found: 3(NXDOMAIN) (Indonesia)
173.8.94.5: 5.94.8.173.in-addr.arpa domain name pointer 94.8.173.5-Draper.hfc.comcastbusiness.net. (Comcast, USA)
175.25.243.22: Host 22.243.25.175.in-addr.arpa. not found: 3(NXDOMAIN) (China, not assigned?)
119.187.148.51: Host 51.148.187.119.in-addr.arpa. not found: 3(NXDOMAIN) (China)
121.100.28.18: Host 18.28.100.121.in-addr.arpa. not found: 3(NXDOMAIN) (Indonesia)
120.132.132.119: Host 119.132.132.120.in-addr.arpa. not found: 3(NXDOMAIN) (China)
190.0.9.202: 202.9.0.190.in-addr.arpa domain name pointer Wimax-Cali-190-0-9-202.orbitel.net.co. (Brazil)
60.28.209.24: Host 24.209.28.60.in-addr.arpa. not found: 3(NXDOMAIN) (China)
89.144.131.106: Host 106.131.144.89.in-addr.arpa. not found: 3(NXDOMAIN) (Iran)
177.70.68.155: Host 155.68.70.177.in-addr.arpa. not found: 3(NXDOMAIN) (Brazil)
89.222.181.225: 225.181.222.89.in-addr.arpa domain name pointer host-181-225.dialog-k.ru. (Russia)
120.198.232.8: Host 8.232.198.120.in-addr.arpa. not found: 3(NXDOMAIN) (China)
110.139.173.217: 217.173.139.110.in-addr.arpa domain name pointer 217.subnet110-139-173.speedy.telkom.net.id. (Indonesia)
221.2.80.126: Host 126.80.2.221.in-addr.arpa. not found: 3(NXDOMAIN) (China)
124.160.147.173: Host 173.147.160.124.in-addr.arpa. not found: 3(NXDOMAIN) (China)
195.158.107.5: 5.107.158.195.in-addr.arpa domain name pointer adsl5p5.access.maltanet.net. (Malta)
217.129.77.17: 17.77.129.217.in-addr.arpa domain name pointer st-217-129-77-17.netvisao.pt. (Portugal)

Bots Looking for Backups of wp-config.php

Michael Clark — Sun, 30 Sep 2012 00:40:29 +0000

Here’s a new attack that occurred this afternoon: bot networks are searching for backup copies of wp-config.php. They searched for these four files on the root level of one of my web sites. 7b1d91231a87fb75e0054e886a0dea57

wp-config.phpbak
wp-config.php-bak
wp-config.phpBAK
wp-config.php-BAK

The probes came from these four IP addresses, all within one minute of one another:

91.217.66.227 – Ukraine, no rDNS
151.0.9.230 – Ukraine, no rDNS
193.106.65.146 – Ukraine, 193-106-65-146.vega-tv.com.ua.
88.252.179.61 – Turkey, no rDNS

You should do two things:

Search your site’s root directories for old “backup” copies of your site’s configuration files. And if you find any, you need to remove them. You may want to consider removing wp-config-sample.php if it exists as well. Heck, remove readme.html and license.html too. There is no reason for those files to be available on your web site.
If your web server and host supports it, move your wp-config.php file up one directory out of your public web site. So if your WordPress installation is installed in /var/www/html/example.com/ , move wp-config.php to be in the html directory, not the com directory. This should remove the configuration file from the public.

Followup: September 30th, 2012: Just had a few new probes for wp-config.txt from 88.74.117.9, dslb-088-074-117-009.pools.arcor-ip.net, Germany.

Scans for Vulnerable WordPress Plugins

Michael Clark — Mon, 12 Dec 2011 14:25:06 +0000

This morning one of my web sites was scanned for all 25 of these WordPress plugins. I’m not exactly sure what they are vulnerable to (looking around the web it looks like they can be used to add programs to your web site), but you should confirm that if your site is using one of these plusings, that you have the most recent version installed. 7b1d91231a87fb75e0054e886a0dea57

/wp-content/plugins/1-flash-gallery/fgallery.php
/wp-content/plugins/dm-albums/wp-dm-albums.php
/wp-content/plugins/dp-thumbnail/dp-thumbnail.php
/wp-content/plugins/mingle-forum/feed.php
/wp-content/plugins/cac-featured-content/cac-featured-content.php
/wp-content/plugins/backwpup/backwpup.php
/wp-content/plugins/a-gallery/a-gallery.php
/wp-content/plugins/category-grid-view-gallery/cat_grid.php
/wp-content/plugins/user-avatar/user-avatar-pic.php
/wp-content/plugins/media-library-categories/sort.php
/wp-content/plugins/global-content-blocks/global-content-blocks.php
/wp-content/plugins/image-gallery-with-slideshow/shortcode.php
/wp-content/plugins/upm-polls/includes/poll_logs.php
/wp-content/plugins/comment-rating/ck-processkarma.php
/wp-content/plugins/zingiri-web-shop/load.php
/wp-content/plugins/verve-meta-boxes/verve-meta-boxes.php
/wp-content/plugins/lisl-last-image-slider/nivo-slider.css
/wp-content/plugins/count-per-day/counter.css
/wp-content/plugins/ip-logger/map-details.php
/wp-content/plugins/relocate-upload/relocate-upload.php
/wp-content/plugins/yolink-search/includes/bulkcrawl.php
/wp-content/plugins/mini-mail-dashboard-widget/readme.txt
/wp-content/plugins/allwebmenus-wordpress-menu-plugin/widgetClass.php
/wp-content/plugins/auto-attachments/auto-attachments.php
/wp-content/plugins/ImageManager/manager.php

The scans came from 78.46.173.3, and only requested the HEAD of each file. That IP address is in a range assigned to IT7 Networks, with the name of Dmytro Postryhan. The scan (attack) came at 8:31 this morning.

More Vulnerability Attack Scans

Michael Clark — Sun, 30 Oct 2011 19:11:59 +0000

For the past several hours I’ve been attacked (41,322 times and counting!) by many different IP addresses (95 at last count, including a bunch using Amazon Web Services (amazonaws)) looking for many different URLs. They are searching for the broken timthumb.php script, as well as 5a3c2f91dc7ccef6724e602c0d391659.php or 6c8fd79d31461e644cbf23026ff5d19a.php, which is apparently an app to give the world the ability to execute commands on your web server via the web. I’ll post more details if I can figure out how to present in a useful manner. 7b1d91231a87fb75e0054e886a0dea57

TimThumb.php Vulnerability Scans

Michael Clark — Fri, 09 Sep 2011 15:06:13 +0000

Earlier today one of my web sites was scanned for the timthumb.php script. timthumb is a web application that allows for the site to gather and resize images. The script is included in a lot of WordPress themes, such as the list of 332 themes listed at the bottom of this post. If you are using one of these themes, upgrade it, and confirm that timthumb has been upgraded to address its security problems. 7b1d91231a87fb75e0054e886a0dea57

Besides getting the newest version of timthumb, something else you should do is change the name of the directory that your theme is in. This called security by obscurity. Yes, it’s lame in that the directory name itself is visible to the public, but you will make a it a bit more difficult for attackers to scan your system.

Also make sure that you’ve removed any themes or plugins from your site that you aren’t actively using. (Keep twentyten and twentyeleven, the default WordPress themes though).

Over the past month, these IP addresses have scanned my sites for vulnerable timthumb scripts. Block them! Either via a “Deny from ” command in your .htaccess, or via iptables or your firewall.

46.4.114.111: 111.114.4.46.in-addr.arpa domain name pointer static.111.114.4.46.clients.your-server.de.
88.198.51.36: 36.51.198.88.in-addr.arpa domain name pointer static.88-198-51-36.clients.your-server.de.
89.149.202.94: 94.202.149.89.in-addr.arpa domain name pointer mail.allgatas.com.
91.224.160.182: 182.160.224.91.in-addr.arpa domain name pointer hosted-by.bergdorf-group.com.
108.200.252.19: 19.252.200.108.in-addr.arpa domain name pointer 108-200-252-19.lightspeed.stlsmo.sbcglobal.net.
176.9.18.121: 121.18.9.176.in-addr.arpa domain name pointer static.121.18.9.176.clients.your-server.de.
178.162.181.97: Host 97.181.162.178.in-addr.arpa. not found: 3(NXDOMAIN) (IP assigned to Leaseweb Germany GmbH)
188.138.113.14: 14.113.138.188.in-addr.arpa domain name pointer zebra814.server4you.net.
188.229.89.14: Host 14.89.229.188.in-addr.arpa. not found: 3(NXDOMAIN) (IP assigned to Netserv Consult SRL, Bucharest, Romania)
188.72.230.134: Host 134.230.72.188.in-addr.arpa. not found: 3(NXDOMAIN) (IP assigned to Leaseweb Germany GmbH)
216.246.79.192: 192.79.246.216.in-addr.arpa domain name pointer class192.techniland.net.

List of resources that were scanned:

http://example.com/wp-content/themes/TheStyle/timthumb.php
http://example.com/wp-content/themes/nool/timthumb.php
http://example.com/wp-content/themes/PersonalPress/timthumb.php
http://example.com/wp-content/themes/SimplePress/timthumb.php
http://example.com/wp-content/themes/DeepFocus/timthumb.php
http://example.com/wp-content/themes/DelicateNews/timthumb.php
http://example.com/wp-content/themes/Bold/timthumb.php
http://example.com/wp-content/themes/eStore/timthumb.php
http://example.com/wp-content/themes/TheProfessional/timthumb.php
http://example.com/wp-content/themes/OnTheGo/timthumb.php
http://example.com/wp-content/themes/AskIt/timthumb.php
http://example.com/wp-content/themes/Nova/timthumb.php
http://example.com/wp-content/themes/eNews/timthumb.php
http://example.com/wp-content/themes/eVid/timthumb.php
http://example.com/wp-content/themes/TheCorporation/timthumb.php
http://example.com/wp-content/themes/Minimal/timthumb.php
http://example.com/wp-content/themes/Polished/timthumb.php
http://example.com/wp-content/themes/MyResume/timthumb.php
http://example.com/wp-content/themes/TheSource/timthumb.php
http://example.com/wp-content/themes/StudioBlue/timthumb.php
http://example.com/wp-content/themes/Wooden/timthumb.php
http://example.com/wp-content/themes/WhosWho/timthumb.php
http://example.com/wp-content/themes/Quadro/timthumb.php
http://example.com/wp-content/themes/Glow/timthumb.php
http://example.com/wp-content/themes/Modest/timthumb.php
http://example.com/wp-content/themes/Aggregate/timthumb.php
http://example.com/wp-content/themes/ArtSee/timthumb.php
http://example.com/wp-content/themes/versatile/timthumb.php
http://example.com/wp-content/themes/omni-shop/timthumb.php
http://example.com/wp-content/themes/manifesto/scripts/timthumb.php
http://example.com/wp-content/themes/arthem-mod/scripts/timthumb.php
http://example.com/wp-content/themes/echoes/timthumb.php
http://example.com/wp-content/themes/Bold4/timthumb.php
http://example.com/wp-content/themes/primely-theme/scripts/timthumb.php
http://example.com/wp-content/themes/zenkoreviewRD/scripts/timthumb.php
http://example.com/wp-content/themes/ElegantEstate/timthumb.php
http://example.com/wp-content/themes/PersonalPress2/timthumb.php
http://example.com/wp-content/themes/mypage/scripts/timthumb.php
http://example.com/wp-content/themes/magazinum/scripts/timthumb.php
http://example.com/wp-content/themes/pbv_multi/scripts/timthumb.php
http://example.com/wp-content/themes/photofeature/scripts/timthumb.php
http://example.com/wp-content/themes/ColdStone/timthumb.php
http://example.com/wp-content/themes/HMDeepFocus/timthumb.php
http://example.com/wp-content/themes/EarthlyTouch/timthumb.php
http://example.com/wp-content/themes/Boutique/timthumb.php
http://example.com/wp-content/themes/ePhoto/timthumb.php
http://example.com/wp-content/themes/PureType/timthumb.php
http://example.com/wp-content/themes/13Floor/timthumb.php
http://example.com/wp-content/themes/BusinessCard/timthumb.php
http://example.com/wp-content/themes/CherryTruffle/timthumb.php
http://example.com/wp-content/themes/Cion/timthumb.php
http://example.com/wp-content/themes/DailyNotes/timthumb.php
http://example.com/wp-content/themes/eGallery/timthumb.php
http://example.com/wp-content/themes/eGamer/timthumb.php
http://example.com/wp-content/themes/GrungeMag/timthumb.php
http://example.com/wp-content/themes/Influx/timthumb.php
http://example.com/wp-content/themes/LightBright/timthumb.php
http://example.com/wp-content/themes/LightSource/timthumb.php
http://example.com/wp-content/themes/Magnificent/timthumb.php
http://example.com/wp-content/themes/Memoir/timthumb.php
http://example.com/wp-content/themes/AskIt_v1.6/AskIt/timthumb.php
http://example.com/wp-content/themes/TidalForce/timthumb.php
http://example.com/wp-content/themes/Atlantis/timthumb.php
http://example.com/wp-content/themes/DelicateNewsYellow/timthumb.php
http://example.com/wp-content/themes/themorningafter/timthumb.php
http://example.com/wp-content/themes/arthemia-premium/scripts/timthumb.php
http://example.com/wp-content/themes/arthemia/scripts/timthumb.php
http://example.com/wp-content/themes/arthemia-premium-park/scripts/timthumb.php
http://example.com/wp-content/themes/linepress/timthumb.php
http://example.com/wp-content/themes/wedding/timthumb.php
http://example.com/wp-content/themes/graduate/timthumb.php
http://example.com/wp-content/themes/wp-newspaper/timthumb.php
http://example.com/wp-content/themes/advanced-newspaper/timthumb.php
http://example.com/wp-content/themes/journey/timthumb.php
http://example.com/wp-content/themes/newspro/timthumb.php
http://example.com/wp-content/themes/transcript/timthumb.php
http://example.com/wp-content/themes/showfolio/timthumb.php
http://example.com/wp-content/themes/quickstart/timthumb.php
http://example.com/wp-content/themes/Restorante/timthumb.php
http://example.com/wp-content/themes/snapwire/timthumb.php
http://example.com/wp-content/themes/aqua-blue/includes/timthumb.php
http://example.com/wp-content/themes/swatch/functions/thumb.php
http://example.com/wp-content/themes/announcement/functions/thumb.php
http://example.com/wp-content/themes/empire/functions/thumb.php
http://example.com/wp-content/themes/supportpress/functions/thumb.php
http://example.com/wp-content/themes/editorial/functions/thumb.php
http://example.com/wp-content/themes/statua/functions/thumb.php
http://example.com/wp-content/themes/briefed/functions/thumb.php
http://example.com/wp-content/themes/faultpress/functions/thumb.php
http://example.com/wp-content/themes/kaboodle/functions/thumb.php
http://example.com/wp-content/themes/savinggrace/functions/thumb.php
http://example.com/wp-content/themes/premiere/functions/thumb.php
http://example.com/wp-content/themes/simplicity/functions/thumb.php
http://example.com/wp-content/themes/deliciousmagazine/functions/thumb.php
http://example.com/wp-content/themes/canvas-buddypress/functions/thumb.php
http://example.com/wp-content/themes/bookclub/functions/thumb.php
http://example.com/wp-content/themes/boldnews/functions/thumb.php
http://example.com/wp-content/themes/placeholder/functions/thumb.php
http://example.com/wp-content/themes/biznizz/functions/thumb.php
http://example.com/wp-content/themes/auld/functions/thumb.php
http://example.com/wp-content/themes/listings/functions/thumb.php
http://example.com/wp-content/themes/elefolio/functions/thumb.php
http://example.com/wp-content/themes/chapters/functions/thumb.php
http://example.com/wp-content/themes/continuum/functions/thumb.php
http://example.com/wp-content/themes/diner/functions/thumb.php
http://example.com/wp-content/themes/skeptical/functions/thumb.php
http://example.com/wp-content/themes/caffeinated/functions/thumb.php
http://example.com/wp-content/themes/crisp/functions/thumb.php
http://example.com/wp-content/themes/sealight/functions/thumb.php
http://example.com/wp-content/themes/unite/functions/thumb.php
http://example.com/wp-content/themes/estate/functions/thumb.php
http://example.com/wp-content/themes/tma/functions/thumb.php
http://example.com/wp-content/themes/coda/functions/thumb.php
http://example.com/wp-content/themes/inspire/functions/thumb.php
http://example.com/wp-content/themes/apz/functions/thumb.php
http://example.com/wp-content/themes/spectrum/functions/thumb.php
http://example.com/wp-content/themes/diarise/functions/thumb.php
http://example.com/wp-content/themes/boast/functions/thumb.php
http://example.com/wp-content/themes/retreat/functions/thumb.php
http://example.com/wp-content/themes/cityguide/functions/thumb.php
http://example.com/wp-content/themes/cinch/functions/thumb.php
http://example.com/wp-content/themes/slanted/functions/thumb.php
http://example.com/wp-content/themes/canvas/functions/thumb.php
http://example.com/wp-content/themes/postcard/functions/thumb.php
http://example.com/wp-content/themes/delegate/functions/thumb.php
http://example.com/wp-content/themes/mystream/functions/thumb.php
http://example.com/wp-content/themes/optimize/functions/thumb.php
http://example.com/wp-content/themes/backstage/functions/thumb.php
http://example.com/wp-content/themes/sophisticatedfolio/functions/thumb.php
http://example.com/wp-content/themes/bueno/functions/thumb.php
http://example.com/wp-content/themes/digitalfarm/functions/thumb.php
http://example.com/wp-content/themes/headlines/functions/thumb.php
http://example.com/wp-content/themes/f0101/functions/thumb.php
http://example.com/wp-content/themes/royalle/functions/thumb.php
http://example.com/wp-content/themes/exposure/functions/thumb.php
http://example.com/wp-content/themes/rockstar/functions/thumb.php
http://example.com/wp-content/themes/dailyedition/functions/thumb.php
http://example.com/wp-content/themes/object/functions/thumb.php
http://example.com/wp-content/themes/antisocial/functions/thumb.php
http://example.com/wp-content/themes/coffeebreak/functions/thumb.php
http://example.com/wp-content/themes/mortar/functions/thumb.php
http://example.com/wp-content/themes/bigeasy/functions/thumb.php
http://example.com/wp-content/themes/groovyphoto/functions/thumb.php
http://example.com/wp-content/themes/groovyblog/functions/thumb.php
http://example.com/wp-content/themes/mainstream/functions/thumb.php
http://example.com/wp-content/themes/featurepitch/functions/thumb.php
http://example.com/wp-content/themes/suitandtie/functions/thumb.php
http://example.com/wp-content/themes/thejournal/functions/thumb.php
http://example.com/wp-content/themes/myweblog/functions/thumb.php
http://example.com/wp-content/themes/aperture/functions/thumb.php
http://example.com/wp-content/themes/metamorphosis/functions/thumb.php
http://example.com/wp-content/themes/bloggingstream/functions/thumb.php
http://example.com/wp-content/themes/thestation/functions/thumb.php
http://example.com/wp-content/themes/groovyvideo/functions/thumb.php
http://example.com/wp-content/themes/productum/functions/thumb.php
http://example.com/wp-content/themes/newsport/functions/thumb.php
http://example.com/wp-content/themes/irresistible/functions/thumb.php
http://example.com/wp-content/themes/cushy/functions/thumb.php
http://example.com/wp-content/themes/wootube/functions/thumb.php
http://example.com/wp-content/themes/forewordthinking/functions/thumb.php
http://example.com/wp-content/themes/geometric/functions/thumb.php
http://example.com/wp-content/themes/abstract/functions/thumb.php
http://example.com/wp-content/themes/busybee/functions/thumb.php
http://example.com/wp-content/themes/blogtheme/functions/thumb.php
http://example.com/wp-content/themes/gothamnews/functions/thumb.php
http://example.com/wp-content/themes/thick/functions/thumb.php
http://example.com/wp-content/themes/typebased/functions/thumb.php
http://example.com/wp-content/themes/overeasy/functions/thumb.php
http://example.com/wp-content/themes/ambience/functions/thumb.php
http://example.com/wp-content/themes/snapshot/functions/thumb.php
http://example.com/wp-content/themes/openair/functions/thumb.php
http://example.com/wp-content/themes/freshfolio/functions/thumb.php
http://example.com/wp-content/themes/papercut/functions/thumb.php
http://example.com/wp-content/themes/proudfolio/functions/thumb.php
http://example.com/wp-content/themes/vibrantcms/functions/thumb.php
http://example.com/wp-content/themes/freshnews/functions/thumb.php
http://example.com/wp-content/themes/livewire/functions/thumb.php
http://example.com/wp-content/themes/gazette/functions/thumb.php
http://example.com/wp-content/themes/flashnews/functions/thumb.php
http://example.com/wp-content/themes/premiumnews/functions/thumb.php
http://example.com/wp-content/themes/newspress/functions/thumb.php
http://example.com/wp-content/themes/8q/scripts/timthumb.php
http://example.com/wp-content/themes/aerial/lib/timthumb.php
http://example.com/wp-content/themes/aesthete/timthumb.php
http://example.com/wp-content/themes/albizia/includes/timthumb.php
http://example.com/wp-content/themes/amphion-lite/script/timthumb.php
http://example.com/wp-content/themes/aranovo/scripts/timthumb.php
http://example.com/wp-content/themes/arras/library/timthumb.php
http://example.com/wp-content/themes/arras-theme/library/timthumb.php
http://example.com/wp-content/themes/arthemix-bronze/scripts/timthumb.php
http://example.com/wp-content/themes/artisan/includes/timthumb.php
http://example.com/wp-content/themes/arthemix-green/scripts/timthumb.php
http://example.com/wp-content/themes/a-simple-business-theme/scripts/timthumb.php
http://example.com/wp-content/themes/a-supercms/timthumb.php
http://example.com/wp-content/themes/aureola/scripts/timthumb.php
http://example.com/wp-content/themes/aurorae/timthumb.php
http://example.com/wp-content/themes/autofashion/thumb.php
http://example.com/wp-content/themes/automotive-blog-theme/Quick%20Cash%20Auto/timthumb.php
http://example.com/wp-content/themes/bikes/thumb.php
http://example.com/wp-content/themes/automotive-blog-theme/timthumb.php
http://example.com/wp-content/themes/black_eve/timthumb.php
http://example.com/wp-content/themes/blex/scripts/timthumb.php
http://example.com/wp-content/themes/bloggnorge-a1/scripts/timthumb.php
http://example.com/wp-content/themes/blogified/timthumb.php
http://example.com/wp-content/themes/blue-corporate-hyve-theme/timthumb.php
http://example.com/wp-content/themes/bluemag/library/timthumb.php
http://example.com/wp-content/themes/blue-news/scripts/timthumb.php
http://example.com/wp-content/themes/bombax/includes/timthumb.php
http://example.com/wp-content/themes/breakingnewz/timthumb.php
http://example.com/wp-content/themes/brightsky/scripts/timthumb.php
http://example.com/wp-content/themes/brochure-melbourne/includes/timthumb.php
http://example.com/wp-content/themes/business-turnkey/assets/js/timthumb.php
http://example.com/wp-content/themes/calotropis/includes/timthumb.php
http://example.com/wp-content/themes/coffee-lite/thumb.php
http://example.com/wp-content/themes/comet/scripts/timthumb.php
http://example.com/wp-content/themes/conceditor-wp-strict/scripts/timthumb.php
http://example.com/wp-content/themes/constructor/layouts/thumb.php
http://example.com/wp-content/themes/constructor/libs/timthumb.php
http://example.com/wp-content/themes/constructor/timthumb.php
http://example.com/wp-content/themes/coverht-wp/scripts/timthumb.php
http://example.com/wp-content/themes/cover-wp/scripts/timthumb.php
http://example.com/wp-content/themes/dark-dream-media/timthumb.php
http://example.com/wp-content/themes/deep-blue/timthumb.php
http://example.com/wp-content/themes/delicate/thumb.php
http://example.com/wp-content/themes/diamond-ray/thumb.php
http://example.com/wp-content/themes/dieselclothings/thumb.php
http://example.com/wp-content/themes/digitalblue/thumb.php
http://example.com/wp-content/themes/dimenzion/timthumb.php
http://example.com/wp-content/themes/epione/script/timthumb.php
http://example.com/wp-content/themes/evr-green/scripts/timthumb.php
http://example.com/wp-content/themes/famous/megaframe/megapanel/inc/upload.php
http://example.com/wp-content/themes/famous/timthumb.php
http://example.com/wp-content/themes/fashion-style/thumb.php
http://example.com/wp-content/themes/featuring/timthumb.php
http://example.com/wp-content/themes/fliphoto/timthumb.php
http://example.com/wp-content/themes/flix/timthumb.php
http://example.com/wp-content/themes/fordreporter/scripts/thumb.php
http://example.com/wp-content/themes/freeside/thumb.php
http://example.com/wp-content/themes/fresh-blu/scripts/timthumb.php
http://example.com/wp-content/themes/go-green/modules/timthumb.php
http://example.com/wp-content/themes/granite-lite/scripts/timthumb.php
http://example.com/wp-content/themes/greydove/timthumb.php
http://example.com/wp-content/themes/greyzed/functions/efrog/lib/timthumb.php
http://example.com/wp-content/themes/gunungkidul/thumb.php
http://example.com/wp-content/themes/heartspotting-beta/thumb.php
http://example.com/wp-content/themes/heli-1-wordpress-theme/images/timthumb.php
http://example.com/wp-content/themes/ideatheme/timthumb.php
http://example.com/wp-content/themes/impressio/timthumb/timthumb.php
http://example.com/wp-content/themes/introvert/thumb.php
http://example.com/wp-content/themes/inuit-types/thumb.php
http://example.com/wp-content/themes/isotherm-news/thumb.php
http://example.com/wp-content/themes/iwana-v10/timthumb.php
http://example.com/wp-content/themes/jambo/thumb.php
http://example.com/wp-content/themes/jcblackone/thumb.php
http://example.com/wp-content/themes/kratalistic/thumb.php
http://example.com/wp-content/themes/life-style-free/thumb.php
http://example.com/wp-content/themes/likehacker/timthumb.php
http://example.com/wp-content/themes/litepress/scripts/timthumb.php
http://example.com/wp-content/themes/loganpress-premium-theme-1/thumb.php
http://example.com/wp-content/themes/magazine-basic/thumb.php
http://example.com/wp-content/themes/magup/timthumb.php
http://example.com/wp-content/themes/make-money-online-theme-1/scripts/timthumb.php
http://example.com/wp-content/themes/make-money-online-theme-2/scripts/timthumb.php
http://example.com/wp-content/themes/make-money-online-theme-3/scripts/timthumb.php
http://example.com/wp-content/themes/make-money-online-theme-4/scripts/timthumb.php
http://example.com/wp-content/themes/make-money-online-theme/scripts/timthumb.php
http://example.com/wp-content/themes/meintest/layouts/thumb.php
http://example.com/wp-content/themes/mobilephonecomparision/thumb.php
http://example.com/wp-content/themes/moi-magazine/timthumb.php
http://example.com/wp-content/themes/my-heli/images/timthumb.php
http://example.com/wp-content/themes/mymag/timthumb.php
http://example.com/wp-content/themes/mystique/extensions/auto-thumb/timthumb.php
http://example.com/wp-content/themes/nash/theme-assets/php/timthumb.php
http://example.com/wp-content/themes/neofresh/timthumb.php
http://example.com/wp-content/themes/neo_wdl/includes/extensions/thumb.php
http://example.com/wp-content/themes/new-green-natural-living-ngnl/scripts/timthumb.php
http://example.com/wp-content/themes/newspress/thumb.php
http://example.com/wp-content/themes/pearlie/scripts/timthumb.php
http://example.com/wp-content/themes/pico/scripts/timthumb.php
http://example.com/wp-content/themes/postage-sydney/includes/timthumb.php
http://example.com/wp-content/themes/premium-violet/thumb.php
http://example.com/wp-content/themes/probluezine/timthumb.php
http://example.com/wp-content/themes/pronto/cjl/pronto/uploadify/check.php
http://example.com/wp-content/themes/pronto/cjl/pronto/uploadify/uploadify.php
http://example.com/wp-content/themes/r755/thumb.php
http://example.com/wp-content/themes/regal/timthumb.php
http://example.com/wp-content/themes/shaan/timthumb.php
http://example.com/wp-content/themes/shadow-block/thumb.php
http://example.com/wp-content/themes/shadow/timthumb.php
http://example.com/wp-content/themes/simple-but-great/timthumb.php
http://example.com/wp-content/themes/simplenews_premium/scripts/timthumb.php
http://example.com/wp-content/themes/simple-red-theme/timthumb.php
http://example.com/wp-content/themes/simple-tabloid/thumb.php
http://example.com/wp-content/themes/simplewhite/timthumb.php
http://example.com/wp-content/themes/slidette/timThumb/timthumb.php
http://example.com/wp-content/themes/snowblind_colbert/thumb.php
http://example.com/wp-content/themes/snowblind/thumb.php
http://example.com/wp-content/themes/spotlight/timthumb.php
http://example.com/wp-content/themes/squeezepage/timthumb.php
http://example.com/wp-content/themes/standout/thumb.php
http://example.com/wp-content/themes/suffusion/timthumb.php
http://example.com/wp-content/themes/swift/includes/thumb.php
http://example.com/wp-content/themes/swift/includes/timthumb.php
http://example.com/wp-content/themes/swift/timthumb.php
http://example.com/wp-content/themes/techozoic-fluid/options/thumb.php
http://example.com/wp-content/themes/the_dark_os/tools/timthumb.php
http://example.com/wp-content/themes/themetiger-fashion/thumb.php
http://example.com/wp-content/themes/theory/thumb.php
http://example.com/wp-content/themes/the-theme/core/libs/thumbnails/thumb.php
http://example.com/wp-content/themes/thrillingtheme/thumb.php
http://example.com/wp-content/themes/tm-theme/js/timthumb.php
http://example.com/wp-content/themes/totallyred/scripts/timthumb.php
http://example.com/wp-content/themes/travelogue-theme/scripts/timthumb.php
http://example.com/wp-content/themes/true-blue-theme/timthumb.php
http://example.com/wp-content/themes/ttnews-theme/timthumb.php
http://example.com/wp-content/themes/typographywp/timthumb.php
http://example.com/wp-content/themes/ugly/timthumb.php
http://example.com/wp-content/themes/unity/timthumb.php
http://example.com/wp-content/themes/versitility/timthumb.php
http://example.com/wp-content/themes/vibefolio-teaser-10/scripts/timthumb.php
http://example.com/wp-content/themes/vina/thumb.php
http://example.com/wp-content/themes/whitemag/script/thumb.php
http://example.com/wp-content/themes/wpapi/thumb.php
http://example.com/wp-content/themes/wpbus-d4/includes/timthumb.php
http://example.com/wp-content/themes/wp-creativix/scripts/timthumb.php
http://example.com/wp-content/themes/wp-newsmagazine/scripts/timthumb.php
http://example.com/wp-content/themes/wp-perfect/js/timthumb.php
http://example.com/wp-content/themes/wp-premium-orange/timthumb.php
http://example.com/wp-content/themes/xiando-one/thumb.php
http://example.com/wp-content/themes/zcool-like/timthumb.php
http://example.com/wp-content/themes/zcool-like/uploadify.php
http://example.com/wp-content/themes/twittplus/scripts/timthumb.php