pharma hack

evaneckard
(@evaneckard)

13 years, 11 months ago

I’ve been hit with this “pharma hack” going around. (see http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php) for details.

Anyhow, I’ve done all I can to get rid of this thing, yet the rogue plugin files and database entries keep appearing. Within the _options table row, 3 entries will consistently appear no matter how many times I delete them. “wp_check_hash”, “class_generic_support” & a malicious rss entry. Somehow these entries write malicious files into random plugin folders that have “ext-“, “db-” or “class-” appended to them.

No matter how many times I delete them, they keep coming back. I’ve increased all of the security I can, and have all permissions set to where they should be. This is obviously an exploit of the wordpress install.

Has anyone figured out how to clean this thing out for good?

Viewing 11 replies - 1 through 11 (of 11 total)

Thread Starter evaneckard
(@evaneckard)

13 years, 11 months ago

The plugin files that this exploit write look like this:

[Code moderated as per the Forum Rules. Please use the pastebin]

Thread Starter evaneckard
(@evaneckard)

13 years, 11 months ago

This file appeared as “ext-akismet.php”

Moderator James Huff
(@macmanx)

Volunteer Moderator

13 years, 11 months ago

Carefully follow this guide:

http://codex.wordpress.org/FAQ_My_site_was_hacked

When you’re done, implement some (if not all) of the recommended security measures:

http://codex.wordpress.org/Hardening_WordPress

Thread Starter evaneckard
(@evaneckard)

13 years, 11 months ago

Short of deleting everything, I have already followed both of those articles and it’s no help.

This has to be a hole in wordpress itself, i’m assuming poor security in one of the core files.

esmi
(@esmi)

13 years, 11 months ago

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

The back door could be anywhere on the server.

Thread Starter evaneckard
(@evaneckard)

13 years, 11 months ago

Yes, I’ve followed those as well – no dice.

Moderator James Huff
(@macmanx)

Volunteer Moderator

13 years, 11 months ago

Have you changed your FTP password yet? One of the theories is that malware is intercepting or has intercepted the FTP password (which is sent in the clear), providing easy access to your server.

james9
(@james9)

13 years, 10 months ago

I also tried all above tricks and still the spammers return. I do have some nice variations of the akismet pharma hacks if you want to research this exploit (currently 5 versions). just message me lifesizedATgmail if you want to get the files. I scanned my machine for malware and found a few pieces. removed it. Cleaned my computer completely. Then i changed my FTP username/pwd and woke up the following morning with spam firing on all cyclinders still. I have to give the spammers credit. Whatever they are doing is pretty smart stuff and i also was guilty of sloppy wp updating for a while.

chakani
(@chakani)

13 years, 10 months ago

Have you tried changing your .htaccess file? See this post:

“Top 5 WordPress Security Tips You Most Likely Don’t Follow”:

http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow

NOTE: See my post at bottom of that page.

Note 2: Your link “http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php” is already 404.

Daniel Cid
(@ddsucurinet)

13 years, 9 months ago

I posted about this pharma hack here:

http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

It seems that you forgot to remove the backdoor being used to give the attackers access to your system. I as said in the post, searching only for eval(base64_decode is not enough, since they are hiding it now too. If you do not remove it, they will re-infect your site every so often..

thanks,

rubytuesday
(@rubytuesday)

13 years, 4 months ago

Hello all, where are you hosting? Search the forum for “Pharma” and “Dreamhost” – there are at least two Dreamhost clients reporting the same clean/re-infection problem (me being one of them).