How to Check for PHP Remote View Hack

Posted in Blog | Comments Off

How to Check for PHP Remote View Hack

PHP Remote View Hack

There has been some grumblings as of late about a PHP Remote View Hack.  Wordpress has updated to protect against as well as several themes and plugins that were possibly susceptible.  I upgraded all of these and thought the problem was solved.  Plus I never got any pop-ups, which is the start of the hack, so I thought everything was fine.  But in the process of adding some new features to my website I stumbled upon the hack where it was lying in wait.  This worked for me and don’t know if it will work for you, but its an easy way to see if the PHP Remote View Hack is waiting to pop up on you in the future.

First thing to do, check your feed.

How I stumbled across this was by working with my RSS feed.  I entered my feed url, http://www.empiricalintegratedmarketing.com/feed, and got an error message.  The error message contained the following: “error on line 209 at column 1: Extra content at the end of the document”    The main thing to look for is the Extra Content at the end of document.  This is the red flag for this hack.  Check your feed, http://www.your-website.com/feed to see if you get the same error message.

What to do if you find the PHP Remote View Hack.

In doing the research on what to do with this error message, I found a good solution from Techspheria.

  • First, in your WordPress’s index.php, remove the following script added by the hack:


 

  •  Then remove these phony files added by the hackers (back up first, in case your installation actually requires these files):

/wp-admin/js/config.php
/wp-admin/common.php
/wp-admin/udp.php
/wp-content/udp.php

Do not try to open any of these files.

They will make your antivirus software have fits, so its better just to delete them straight away.  After you have removed the script and the files, check to make sure any of you permissions for you files and directories haven’t been changed.  A typical WordPress Installation has folder permission at 755 and file permissions at 644.

Who’s doing this?

This hack script was run from superpuperdomain.com.  So if you see anything containing that domain in any error messages you receive, be sure to search the WordPress forums for possible solutions.  That is where I came across Techspheria’s solution and I was very fortunate I did.

Be Safe.

Remember, backup and update your website often to help prevent these types of hack attempts.  If you found this suggestion helpful, could you do us a solid and give us a +1, like, or tweet about it to your friends.  Thanks and feel free to add any comments or other suggestions below.

Comments are closed.