WordPress, remv.php and You

While hacked sites happen, the hacks are fairly benign.  Normally, folks with hacked sites see a few spam links at the bottom of their pages.  That sort of thing can normally be cleaned up with an upgrade.  When I have to deal with them, it also involves a rap on the knuckles and a lecture on the importance of staying on top of upgrades.

I’ve never seen a hack crop up with the tenacity of “remv.php” tho.  Seriously, it’s kind of scary.

I haven’t really had time to go over what all the “remv.php” script does, but I do know that it can be harnessed to send out DDoS (Distributed Denial of Service) attacks to unsuspecting sites.  How do I know this?  Well, about an hour after tossing in “They Live“, I hear Kitchen typing furiously and ask him what’s going on.

There’s a site’s getting DDoS’ed — but the attack is coming from predominately from our own servers.

Shit.  Was it a nasty 0-day worm?  Not so much.  Just a bunch of zombie blogs banging away at this poor bastard’s site.  And what did all those blogs have in common?  “remv.php” was hanging out in their “wp-content/themes” directory.

So in the interest of spreading the word, I’ve got a quick and dirty guide to dealing with sites infected with this nasty little script.

  1. Check to see if your WordPress install has “remv.php” in its “wp-content/themes” directory.  This can be accomplished by adding “wp-content/themes/remv.php” to the end of your blog’s URL.  If you see “Access Denied – your host is not allowed to access this page.”, congratulations — you’re part of the problem.
  2. If you come up as clear on the previous step, you can always double check by FTP’ing into your server and navigating your directories manually.  The file always seems to show up at “wp-content/themes/remv.php”.  If it’s not there, you’re probably safe — but you should upgrade your WordPress install if it’s not the latest and greatest in order to defend yourself fully.
  3. Should you see the file after going over either of the first two steps, go delete “remv.php” while FTP’ed into your server.  Keep the client open tho.  You’re not done.
  4. Upgrade your WordPress install.  At the time of this post, the latest stable version is 2.7 and can be acquired directly from WordPress.org.  That’s sure to change as the years roll on tho, so just try to upgrade to whatever the site lists as “stable”.
  5. Go to your host and change the MySQL password that coincides with your WordPress database.  If you don’t know how to do this, contact the support staff of your host and have them walk you thru it.
  6. Modify the line in your “wp-config.php” file that reads:
    define('DB_PASSWORD', 'myoldpassword');
    There, replace “myoldpassword” with the new MySQL password.
  7. Log in to your WordPress admin area and visit “Users > Authors & Users” (that’s what it’s called in version 2.7).  From there, you can edit your users and set new passwords for all of them.  That’s right all of them. No slacking here!  If you stay on top of updates, this shouldn’t happen again.
  8. Go back to your FTP client (from step 3) and rename “wp-content/plugins” to something like “wp-content/plugins.bak”. Why you’re doing this should become apparent in the next step.
  9. While still in your WP admin interface, visit “Plugins > Installed” (again, this is the name for it in 2.7).  It’ll complain that it can’t find your plugins (because you renamed the directory) and deactivate them for you.  Once it’s deactivated them, use your FTP client to name the directory back to “wp-content/plugins” , refresh “Plugins > Installed” and upgrade all out-of-date plugins before re-activating them.
  10. You’re done!  Well, so long as you have only one infected WordPress blog.  If you’ve got more of them, then repeat these steps until everything is happy once again.

If it seems like a lot of crap to go thru, just remember that this wouldn’t be an issue if you kept on top of security patches and made sure your plugins were up to date.  If you really want to avoid doing this again, subscribe to the WordPress Development Blog‘s feed and check it religiously.

If you have any more info on “remv.php”, let me know in the comments and I’ll do what I can to keep this entry up to date.

Update: It looks like “remv.php” is phpRemoteView.  Apparently, it’s pretty popular with the script kiddies, but it’s not the actual exploit that’s being used.  Still, it’s a bad thing that needs to be removed if you find it in your WordPress install.  If you’re interested in getting the gist of what the script is capable of, check out this page translation.

4 thoughts on “WordPress, remv.php and You

  1. That’s a great article, Jason and ought be required reading for anyone running a WordPress blog. I’ve linked it from a post on the DreamHost forums, in hopes others can benefit from it. Rock On!

  2. Good find!

    I will warn the Danish audience.

    Any knowledge on what versions of WordPress are safe from this hack?

  3. Got a message from google that my site was spamming. Found remv.php more or less by accident. Found out what it did by commenting out the line that checks to see if you are from the allowed list of IP addresses (near the beginning).
    It gave remote browser access to my entire directory tree, modify any file, seemed like it might be able to change modification times.
    So I look through every file (and there are a lot). Peppered through the directories are php scripts disguised as other things (eg picture.php.jpgg, right under picture.jpg).
    Make sure you check your files!
    Did the reinstall thing.

  4. That’s a great article, Jason and ought be required reading for anyone running a WordPress blog. It gave remote browser access to my entire directory tree, modify any file, seemed like it might be able to change modification times.

    Regards
    Juvy