Support » Fixing WordPress » WTF is remv.php in wp-content/themes folder?

  • Ok, I’ve working WP a lot for a while now, and I’ve never seen this before. I was working on a site for a client, and suddenly found the file “remv.php” in the themes folder. I downloaded it to take a look at it, and my NOD32 virus warning came up! It killed the file right away….

    So, a virus, on my server? anyone…

Viewing 4 replies - 1 through 4 (of 4 total)
  • ive seen that on a site that was hosted on yahoo.

    I didnt open it when I saw it but its googlable, whatever it is

    even better:

    and you cant catch a virus from opening it in wordad or notepad.

    I wanted to see what was in the file. Here it is:

    I know thats the file since the hosts authentication is included.

    if thats not a file you uploaded, I would ask your host whether or not its something they’ve uploaded. If they don’t know what its there for, I would act on the assumption that your site has been compromised, and proceed accordingly.

    I found the same thing on my WP installs. I had not upgraded since WP2.0.5!
    Shame on me.
    Anyway, I looked in the remv.php file, and it’s set to only allow people from certain IP blocks to access the file.
    I bounced the IP blocks that are found in there, and it’s basically a block of cable ISP IP blocks in Pennsylvania, and Massachussets.

    Very hackish stuff.
    remv.php allows full shell access and other PHP goodies to those who get in through it. Remove it immediately.

    I also encountered this sort of problem in my old blogs WP 2.6 below. I haven’t updated my blog for so long. Hehe. Thanks for this now I know what’s that remv.php was.

    I came to know about it after I downloaded all the files in my wp-content for back up purposes. My NOD32 suddenly quarantined and deleted it because it’s a virus.. woooot! I also tried to rename it and download it, but still, nod32 deleted it. I tried to view it in txt format and wooooot! It’s somekind of a weird hack, a loophole to access my humble blog.. whew.. that was scary. I just deleted it and upgraded to the latest version and now it’s fine. 🙂

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WTF is remv.php in wp-content/themes folder?’ is closed to new replies.