Alien file: Remv.php

Yesterday morning, I got an email from Bluehost Support as follows…

Dear Webmaster for (deleted),

It has come to our attention that an exploit for WordPress 2.6.3 and below is running rampant through the internet, and has been discovered on your account for (deleted). Due to the upcoming holiday we have decided to allow your website to stay online, the current file remv.php.hacked will be in your homedirectory under (deleted)/wp-content/themes. You have seven days to remove this file and update your version of WordPress and any modules you are using. If you have not performed the removal and update by the end of the 7th day, out of respect to other customers we will be forced to shutdown your site until the requested removal and updates have been completed.

In addition, Fantastico does not have the latest version of WordPress which is 2.6.5. This means you will need to upgrade WordPress using SimpleScripts. You can easily do this from the cPanel. Go to SimpleScripts under “Software Services” and click on WordPress under “Blogs.” At the bottom you’ll see an option to “Convert a Fantastico Installation.” Clicking on this will list the installations available for conversion.

*deleted – blogs concerned

I set aside the email thinking I’d deal with it when I get home from my movie date with my girl friends. But while inside the movie house, Tita Liza texted me telling me that this blog as well as two of my other blogs were showing a syntax error. I immediately thought of the email I received from Bluehost.

When I got home, I checked my blogs right away. Yes, it was showing a syntax error. I checked my files and I saw a remv.php file in the themes folder. The same thing happened to my border. So I immediately upgraded my blogs to the newest version of WordPress (2.6.5) and I used Simple Scripts this time, instead of Fantastico. I deleted my entire database and created new ones for each blog.

A couple of hours ago, I talked to Reyna Elena about his site being hacked. When I read his post, I saw that the same thing happened to him. So I was thinking (and still speculating) as to what truly happened. Reynz is also using Bluehost for and I am using Bluehost as well. Is the security breach a fault of Bluehost or we were chosen by this hacker, if it’s even hacking at all?

Did this happen to your blog? How did you solve it? Let’s compare notes.