WordPress.org

Ready to get started?Download WordPress

Forums

WTF is remv.php in wp-content/themes folder? (5 posts)

  1. Fastone
    Member
    Posted 5 years ago #

    Ok, I've working WP a lot for a while now, and I've never seen this before. I was working on a site for a client, and suddenly found the file "remv.php" in the themes folder. I downloaded it to take a look at it, and my NOD32 virus warning came up! It killed the file right away....

    So, a virus, on my server? anyone...

  2. whooami
    Member
    Posted 5 years ago #

    ive seen that on a site that was hosted on yahoo.

    I didnt open it when I saw it but its googlable, whatever it is

    http://www.google.com/search?hl=en&q=remv.php&btnG=Google+Search&aq=f&oq=

    even better:

    http://www.google.com/search?hl=en&q=wp-content/themes/remv.php&start=10&sa=N

    and you cant catch a virus from opening it in wordad or notepad.

  3. whooami
    Member
    Posted 5 years ago #

    I wanted to see what was in the file. Here it is:

    http://people.itu.int/~finn/remv.php

    I know thats the file since the hosts authentication is included.

    if thats not a file you uploaded, I would ask your host whether or not its something they've uploaded. If they don't know what its there for, I would act on the assumption that your site has been compromised, and proceed accordingly.

  4. Bill Perry
    Member
    Posted 5 years ago #

    I found the same thing on my WP installs. I had not upgraded since WP2.0.5!
    Shame on me.
    Anyway, I looked in the remv.php file, and it's set to only allow people from certain IP blocks to access the file.
    I bounced the IP blocks that are found in there, and it's basically a block of cable ISP IP blocks in Pennsylvania, and Massachussets.

    Very hackish stuff.
    remv.php allows full shell access and other PHP goodies to those who get in through it. Remove it immediately.

  5. jehzlau
    Member
    Posted 5 years ago #

    I also encountered this sort of problem in my old blogs WP 2.6 below. I haven't updated my blog for so long. Hehe. Thanks for this now I know what's that remv.php was.

    I came to know about it after I downloaded all the files in my wp-content for back up purposes. My NOD32 suddenly quarantined and deleted it because it's a virus.. woooot! I also tried to rename it and download it, but still, nod32 deleted it. I tried to view it in txt format and wooooot! It's somekind of a weird hack, a loophole to access my humble blog.. whew.. that was scary. I just deleted it and upgraded to the latest version and now it's fine. :)

Topic Closed

This topic has been closed to new replies.

About this Topic