TimThumb remote file is one of the most actively scanned-for vulnerabilities on the Internet these days. A single server had over two thousand attempts to drop this shell on it since the start of June 2012 alone. The attacks are very easy to identify in Apache logs. The actual shell that gets dropped is simultaneously sneaky and blatant. The file that comes down actually begins with a valid GIF header – so valid, in fact that file(1) will return the following:sh.php: GIF image data, version 89a, 16129 x 16191.”]
Source: https://blog.talosintelligence.com/2012/06/web-shell-poses-as-gif.html