Hack Alert (remv.php) – Upgrade to Wordpress 2.7

13. Dec 2008 | 19 Comments

If you haven’t upgraded to Wordpress 2.7 yet then I suggest you do it sooner rather than later. There’s an exploit in earlier versions of Wordpress that are compromising installations & turning them into mass zombie DDOS machines.

How to you check if you’ve been hacked

Via ftp go to the folder /wp-content/themes/ if there’s a file there named “remv.php” then you’re one of the unlucky ones.

What is remv.php?

It’s an application called PHPremoteView, it basically allows anyone to run any php commands on your server. This could result in a wide variety of damage (lost files, password, having your adsense code changed, affiliate url’s changed etc etc).

Currently most of the compromised installs are being used for DDOS attacks. So if you notice also an unusually high load on your server this could be the cause.

What to do to fix it

Delete the remv.php file first.
Look to see which files in the Wordpress folder have been altered lately, it’s possible that your theme headers or footer could have unsuspecting spam links to pharma affiliate sites.
Export all your Wordpress posts via XML then reinstall Wordpress 2.7 & import your posts.
If you’re hosting multiple sites on your server you’ll want to check for all the files that have been modified within the time range since remv.php was created.
Change all your passwords, user, root, wordpress, mysql databases….everything.
Upgrade all your plugins to the latest versions (some might not work in 2.7 also).

Enjoy this post? Get the RSS Feed

19 Comments on "Hack Alert (remv.php) – Upgrade to Wordpress 2.7"

titan 13. Dec 2008, 4:18 pm

ehm. thanks for notifiy about this. i guess its really good tips.

Anders Saugstrup 13. Dec 2008, 7:33 pm

Thanks for the heads up!

I have been trying to find more information on this – including confirmation that 2.7 targets this issue. Could you help with a link or a few more words on that?

Anders Saugstrup

Blog Man 15. Dec 2008, 1:57 am

Thanks for the info. I converted all my sites to 2.7

scott 15. Dec 2008, 7:02 pm

Thanks for the info.

bounce house 15. Dec 2008, 7:52 pm

wow…Seem very serious ?
I continue using 2.6

?? 15. Dec 2008, 10:29 pm

Thank You? I’ll upgrade my blog to Wordpress 2.7 at once!

Vince @ Niche Market Supplies 19. Dec 2008, 2:35 pm

Several of my blogs were hacked with this method recently. I was using older versions of wordpress out of laziness. I hadn’t upgraded them in awhile. I didn’t realize there was a problem until I noticed a strange drop in traffic and sales.

macewan 22. Dec 2008, 9:55 pm

sites are a racking up :-O

do those upgrades

affiliate blogger 04. Jan 2009, 4:57 pm

Hey thanks for the heads up – Just found this post and glad I did. I knew there was some sort of security issue with previous Wordpress versions, but didn’t realize how bad it could be!