1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[help] MY site just got hacked. PHPremoteview.

Discussion in 'Black Hat SEO' started by trevorhoang, Aug 8, 2011.

  1. trevorhoang

    trevorhoang Power Member

    Joined:
    Mar 28, 2011
    Messages:
    712
    Likes Received:
    114
    Occupation:
    manager
    Location:
    canada
    so my site just got hacked and i called up my hosting provider bluehost. they told me that there is nothing they can do in their end but they told me it is called a phpremoteview.

    i am gunna google what this is right after this post but if anyone has experience with this , please share. i am in a little panic mode since i put soo much work into this website.

    any advice or feedback is greatly appreciated
    Trevor
     
  2. TZ2011

    TZ2011 Senior Member

    Joined:
    Jun 26, 2011
    Messages:
    832
    Likes Received:
    863
    Occupation:
    Cleaning servers
    It is very, but very old script, I remember it from 2002 or 2003. Basically this is one of first shell scripts, made for white hat purposes, to check and administrate files on server, upload and erase files, etc.
    If you have access to your ftp server download/make backup of all your files, full site, and check each file locally for some injected codes or redirect links or funny garbled simbols. Don't know on what platform is your site built, but check for 'eval',
    eval, base64, encode, decode, words like %32\u0014 + t^70eAM, arguments.callee.toString() , or obfuscated characters to hex like h&116;t, 0x1F1E , or a bunch of garbled text like 'function mssahsJl(disi9w)[var jJisqjsl=arguments.callee.toString().replace' , etc
    and do a check with some white hat for RFI, XSS and other funny words.
     
  3. nf_able

    nf_able Newbie

    Joined:
    Aug 11, 2011
    Messages:
    1
    Likes Received:
    1
    I feel you, I've been mopping this up for about 30 hours off and on. I know just enough coding to realize how much I don't know. First try the link below and see if that remedies it b4 resulting to deploying any back ups. I just started keeping a personal CHANGELOG of everything I do concerning the site, plugins added/ updated, php modded, etc. I highly suggest picking up this practice, so if you're ever nuked, you just have to follow a very long recipe but at least you know what you did.

    My hosting (greengeeks) keeps nightly builds, and I had one from 08/05. For some reason, my back ups wouldn't take.

    I renamed my public_html and put GG's backup in effect.

    Then I followed this advice (I can't post links yet, but this should indicate where to go)
    on tbogard's website entitled 'removing-phpremoteview-hack-attack-from-your-wordpress

    Now I'm tightening the bolts and backing up daily like a fool (and d/ling backups) til I know this particular threat is neutralized.


    Best & gl
    -nf
     
    • Thanks Thanks x 1
  4. Freeopkiller

    Freeopkiller Junior Member

    Joined:
    Dec 30, 2009
    Messages:
    117
    Likes Received:
    47
    Location:
    Montana
    One of my blogs got hit with an index redirect.. phpRemoteView.. I found 3 files:
    /wp-admin/common.php
    /wp-admin/udp.php
    /wp-admin/js/config.php
    Had to repair the index.php file..

    I was also running 3.0 WP. Just updated but if your using older versions of WP Might wanna search for those files just in case..

    If you noticed your traffic is up and adsense dissapears you better check it. What is does is redirect your site to another, But only does it once per IP. So you see it the first time and think WTF, reload your site and doesn't reappear.. I travel a lot so my ip always changes, got the bugger this time... Simple search will do you good, My rankings for the week are almost non exisitant now.. Nice way to lose a 300per month site... Happy Hunting...

    Followup : Yep looks like the timthumb.php in my template "Transcript 1.4 RC2" was the culprit.
     
    Last edited: Aug 15, 2011
  5. VIC SEO

    VIC SEO Elite Member

    Joined:
    Feb 19, 2010
    Messages:
    2,156
    Likes Received:
    363
    Gender:
    Male
    Occupation:
    SEO Specialist
    Location:
    iSynergyMedia
    Home Page:
    Keeping a backup of the site is a great idea and always comes in handy, but what I don't understand is that sites just don't get hacked. Whose fault is it in the first place? I don't want that happening to my sites? Can you tell me what you did to prevent that?
     
  6. Djinn

    Djinn Newbie

    Joined:
    Sep 28, 2010
    Messages:
    49
    Likes Received:
    62
    I noticed earlier today that one of my sites has the same phpremoteview hack, I do not know how long it has been there as the site runs on autopilot. I have just done a backup and about to see if I can delete the infected files, fingers crossed I don't f*k the site up, lol.
     
  7. DebtFreeMe

    DebtFreeMe Regular Member

    Joined:
    Mar 14, 2010
    Messages:
    418
    Likes Received:
    363
    Occupation:
    Military
    Location:
    Earth
    How can I check for this on my servers? I use hostgator.

    Thanks
     
  8. Freeopkiller

    Freeopkiller Junior Member

    Joined:
    Dec 30, 2009
    Messages:
    117
    Likes Received:
    47
    Location:
    Montana
    First thing to to read the post nf_able recommended search "removing-phpremoteview-hack-attack-from-your-wordpress" in google.

    There seems to be a few security issues, mine of coarse was the timthumb.php file located in my theme file directory. There seems to be a vulnerability in one of the Wp related post plugins.. (cant remember which one. sorry) I just updated my timthumb.php file which the article gives you a link too. Deleted the files mention above. I did update to the latest version of Wordpress to over write any other affected files. So far so good.. It's a pretty good hack as it will not reload itself if your ip has already visited. So it could have been running for a long time without you even knowing it. I only seen where it was stealing my traffic. I haven't seen any other malicious effects as of yet...

    Well just looked at my site, phpremote view is back once again.. I found another udp.php file. Not sure if I missed it or not. Otherwise I think it's fixed. If I get it again I'll post back.
     
    Last edited: Aug 17, 2011
  9. DebtFreeMe

    DebtFreeMe Regular Member

    Joined:
    Mar 14, 2010
    Messages:
    418
    Likes Received:
    363
    Occupation:
    Military
    Location:
    Earth
    Ya I had looked into the timthumb.php thing about a week ago,none of my sites use it.

    Would the "Block Bad Queries" plugin have stopped this attack? It stops code from being injected into your files.
     
  10. orzyman

    orzyman Senior Member

    Joined:
    May 22, 2011
    Messages:
    808
    Likes Received:
    197
    Occupation:
    http://i.imgur.com/0aNSa.gif
    Location:
    in your mind
    i remember when my site got hacked, it was like hello on earth because i knew nothing at that time so backing up your files is a very good practise for any webmaster ;)
     
  11. RepGuru

    RepGuru Newbie

    Joined:
    Mar 11, 2011
    Messages:
    40
    Likes Received:
    9
    This is a super old hacking script. Was this a forum they hacked?
     
  12. Freeopkiller

    Freeopkiller Junior Member

    Joined:
    Dec 30, 2009
    Messages:
    117
    Likes Received:
    47
    Location:
    Montana
    Wordpress any Version.. A lot of Themes that resize thumbnails used the timthumbs.php script. It is what had the vulnerability to inject the phpview.. Everytime I think my site is fixed it popups again. I just wiped the site and domain.. Its easy, just look in your theme folder for the timthumbs.php file.

    I don't see any reference in my database so hopefully will be back up soon.
    There is a timthumbs.php fix/upgrade that addresses the problem..

    Its been a crappy month. My 300+ per month Marijuana Video site just got rejected/banned by adsense for illegal content, Even tho 100% of videos are youtubes, go figure. Then to top it off, this site with phpview problem was my only other 350-300month adsense site and now I can't even find myself in google listings....

    My other 20 sites make about 1.20 a month.. crap reminds me, server payments are due.. Better get back to work..
     
  13. daveedanger

    daveedanger Newbie

    Joined:
    Dec 14, 2008
    Messages:
    11
    Likes Received:
    0
    old scripts are the best..!