ATTENTION: IGIT Related Posts With Thumb Image After Posts phpRemoteView Attack

  • ATTENTION: IGIT Related Posts With Thumb Image After Posts version 3.9.7 with WordPress 3.2.1 is vulnerable to phpRemoteView Attack. 2 of client’s site were compromised recently. We checked it thoroughly and found IGIT plugin is the source of injection. Here’s the hack [malicious code]
    [removed code] injected into index.php. Also in wp-admin, there were 2 suspicious files ‘common.php’ ‘udp.php’ there.

    We have cleaned the index.php, deleted those suspicious files and removed the whole IGIT plugin and things come back to normal.

    I am posting it here if it would be of any help of anyone in future.

Viewing 11 replies - 16 through 26 (of 26 total)

  • I actually ran the Securi scanner before I found this thread and it did not detect the active exploit. That was what prompted me to search for that URL again, because I had a wild guess that the exploit was too new for them to have it listed in their system yet as something to look for.

    Don’t forget to delete the phony files in your WordPress installation!

    There are 6 now:

    /wp-admin/js/config.php
/wp-admin/common.php
/wp-admin/udp.php
/wp-content/udp.php
/wp-content/uploads/feed-file.php
/wp-content/uploads/feed-files.php

    A new domain popped up, so you have to change your .htaccess (not inside public_html) and replace the lines with this:

    order allow,deny
deny from 91.220
deny from 91.196
deny from superpuperdomain.com
deny from superpuperdomain2.com
allow from all

    If you don’t have an .htaccess file there, make one ??

    What do you mean by “not inside public_html” ? Do you mean under /wp-admin /wp-content etc?

    The php.ini file is in the root of your account folder ABOVE public_html.

    So the folder structure would be like this:

    ../php.ini
    ../public_html/index.php
    ../public_html/wp-admin/js/config.php
    ../public_html/wp-admin/common.php
    ../public_html/wp-admin/udp.php
    ../public_html/wp-content/udp.php
    ../public_html/wp-content/uploads/feed-file.php
    ../public_html/wp-content/uploads/feed-files.php

    REMEMBER TO FIX YOUR INDEX FILE. It loads an external script which writes an iframe inside your site.

    @cbmc In your account’s root folder.

    You can read the full thread here:

    PHPRemoteView Hack: What it is, and how to remove it ? TechSpheria https://bit.ly/oRgMnJ

    Oh, the site’s root folder. I’ve got my own servers, so there is no “account” involved.

    Much appreciative of the link. Thx!

    You are very welcome ??

    thanks for all the help here. 3 sites effected so far. But these fixes seem to do the trick.

    These fixes worked for me as well. Thanks everyone!

    Unfortunately, it looks like IGIT Related is still available from the wordpress plugins directory.

    never mind. it looks like I may have confused the widget with the non-widget version.

    Hi All,

    Sorry I was not available for a month due to accident and many things happened here when I was not available.

    First of all I am sorry for not updating plugin for timthumb vulnerability. I have updated timthumb but wordpress closed my plugin and this is because of all your efforts specially debajyoti.

    @debajyoti as you wrote : The ethics of the plugin developer is now questionable.
    Could you please explain me what you want to say????How you could blame to someone ethics. If i put links then I already gave one option to remove it in admin you can check it in admin that there is already one option available.I am really sorry for not updating plugin and thanks to all and specially you to make attention to remove my plugin from sites.

    Ankur

Viewing 11 replies - 16 through 26 (of 26 total)
  • The topic ‘ATTENTION: IGIT Related Posts With Thumb Image After Posts phpRemoteView Attack’ is closed to new replies.

Tags