I recently discovered a phpRemoteView hack on one of my busies WordPress blogs. Below I compiled a list of possible uses for the hack and ways to remove it.
This is exactly how it happened to me and how I removed it:
ATTENTION: IGIT Related Posts With Thumb Image After Posts version 3.9.7 with WordPress 3.2.1 is vulnerable to phpRemoteView Attack. 2 of client’s site were compromised recently. We checked it thoroughly and found IGIT plugin is the source of injection. Here’s the hack [malicious code]
[removed code] injected into index.php. Also in wp-admin, there were 2 suspicious files ‘common.php’ ‘udp.php’ there.We have cleaned the index.php, deleted those suspicious files and removed the whole IGIT plugin and things come back to normal.
I am posting it here if it would be of any help of anyone in future.
http://wordpress.org/support/topic/attention-igit-related-posts-with-thumb-image-after-posts-phpremoteview-attack?replies=3
This is regarding older versions of WordPress, but is still relevant today:
Yesterday I discovered a file called config.php had appeared in the plugins directory of three of my WP2.04 installations (different domains) on a shared server.
The script turned out to be phpRemoteView, which seems to give anyone who navigates to it the ability to view and manipulate every file and folder within the user’s directory!
According to this discussion thread it is used as a hacker’s tool, exploiting a vulnerability in a particular FTP server, which I can confirm my host is using.
the version is outdated for Pure-FTPd and that there is an exploit that allows remote users to basically gain root access. To fix it I just switched to ProFTPd and that is no longer a valid exploit.
Surprise, surprise, my host support response was:
The phpRemoteView could have been uploaded via your other php softwares.
The only “other php softwares” I have installed is WordPress, and I have the latest version. It won’t let me upload .php files (as I would expect).
Has anyone else encountered phpRemoteView in a WordPress installation?
Is there anything I can do to protect myself this happening again, or should I be looking for a different host?
http://wordpress.org/support/topic/wordpress-hacked-with-phpremoteview
I was fortunate enough to discover the hack very early, so not a lot of damage was done before I removed it. My tips would be the usual ones; give yourself a unique admin username, unique and very strong password, install necessary WordPress security plugins, keep your PC clean of any spyware, regularly change your CPanel and FTP passwords, switch to a different host if you suspect weak security on their part.
Also make sure you read the comments on plugin pages before installing the plugin. The community is usually very vocal when they discover a plugin vulnerability and it usually helps to listen to them.
Join the Forum discussion on this post
About Sarel Jan
Technology, Blogging and Social Media is what I like. Web Development is what I love and do.
- Web |
- Google+ |
- More Posts (334)
2 
6 
4
Latest Comments