WordPress hacked with phpRemoteView

Yesterday I discovered a file called config.php had appeared in the plugins directory of three of my WP2.04 installations (different domains) on a shared server.

The script turned out to be phpRemoteView, which seems to give anyone who navigates to it the ability to view and manipulate every file and folder within the user’s directory!

According to this discussion thread it is used as a hacker’s tool, exploiting a vulnerability in a particular FTP server, which I can confirm my host is using.

the version is outdated for Pure-FTPd and that there is an exploit that allows remote users to basically gain root access. To fix it I just switched to ProFTPd and that is no longer a valid exploit.

Surprise, surprise, my host support response was:

The phpRemoteView could have been uploaded via your other php softwares.

The only “other php softwares” I have installed is WordPress, and I have the latest version. It won’t let me upload .php files (as I would expect).

Has anyone else encountered phpRemoteView in a WordPress installation?

Is there anything I can do to protect myself this happening again, or should I be looking for a different host?