WordPress.org

Ready to get started?Download WordPress

Forums

"Pharma Hack" nasty variant? Anyone experienced it? (17 posts)

  1. torakiki
    Member
    Posted 2 years ago #

    Hello there,
    I think one of my WP websites has been hacked with a variant of the infamous "Pharma hack", which inflates malicious links and content in your site but only when visited by googlebot, affecting sites's google entry.

    I think that's a variant because it does something different from the "classic" pharma hack I've read about in blogs (eg: http://redleg-redleg.blogspot.it/2011/02/pharmacy-hack.html).
    Here's the differences I've found:

    It does not use things like:

    eval(base64_decode(
    eval(gzinflate(base64_decode(
    eval(gzuncompress(base64_decode(
    eval(gzinflate(str_rot13(base64_decode(

    but instead it spreads a bunch of files (I've found 50!) around your WP installation with misleading names:

    /wp-content/plugins/adminimize/css/en_GB.php
    /wp-content/plugins/advanced-custom-fields/core/ojxulg6cg.php
    /wp-content/plugins/advanced-custom-fields/core/fields/log.php
    /wp-content/plugins/advanced-custom-fields/core/fields/date_picker/defines.php
    /wp-content/plugins/advanced-custom-fields/lang/xmlrpc.php
    /wp-content/plugins/ajax-thumbnail-rebuild/index2.php
    /wp-content/plugins/ajax-thumbnail-rebuild/languages/index.php
    /wp-content/plugins/google-xml-sitemaps-v3-for-qtranslate/lang/en_GB.php
    /wp-content/plugins/qtranslate/flags/xmlrpc.php
    /wp-content/plugins/qtranslate/lang/rss.php
    /wp-content/plugins/wp-swfobject/rss.php
    /wp-content/themes/[theme-name]/img/archive.php
    /wp-content/themes/[theme-name]/inc/eula.php
    /wp-content/themes/[theme-name]/inc/json.php
    /wp-content/themes/[theme-name]/js/libs/index.php
    /wp-content/themes/[theme-name]/js/libs/fancybox/baedxjtoc.php
    /wp-content/uploads/2011/10/soap.php
    /wp-includes/js/crop/rss.php
    /wp-includes/js/plupload/mbxk.php
    /wp-includes/js/scriptaculous/de.php
    /wp-includes/js/thickbox/archive.php
    /wp-includes/js/tinymce/plugins/inlinepopups/skins/defines.php
    /wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/notes.php
    /wp-includes/js/tinymce/plugins/media/en.php
    /wp-includes/js/tinymce/plugins/media/js/en_GB.php
    /wp-includes/js/tinymce/plugins/wpdialogs/js/log.php
    /wp-includes/js/tinymce/plugins/wpeditimage/mqz_.php
    /wp-includes/js/tinymce/plugins/wpeditimage/img/rss.php
    /wp-includes/js/tinymce/plugins/wpfullscreen/xmlrpc.php
    /wp-includes/js/tinymce/themes/defines.php
    /wp-includes/js/tinymce/themes/advanced/js/de.php
    /wp-includes/js/tinymce/themes/advanced/js/header.php
    /wp-includes/js/tinymce/themes/advanced/skins/y10ethctea.php
    /wp-includes/js/tinymce/themes/advanced/skins/default/xmlrpc.php
    /wp-includes/js/tinymce/themes/advanced/skins/default/img/eula.php
    /wp-includes/js/tinymce/themes/advanced/skins/highcontrast/en.php
    /wp-includes/js/tinymce/themes/advanced/skins/o2k7/archive.php
    /wp-includes/js/tinymce/themes/advanced/skins/o2k7/defines.php
    /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/en-GB.php
    /wp-includes/js/tinymce/utils/atom.php
    /wp-includes/Text/Diff/Renderer/eula.php

    and all these file has the same structure:
    http://i48.tinypic.com/bjwch.jpg

    This doesn't seem like base64 encoded code (used by "old" Pharma hack)... any idea? The problem is that I couldn'd find the backdoor anywhere! There must be one somewhere that joins and injects all this code to the website.

    I've searched for strange entries in the DB (wp_options table) but all seems clean to me (no rss_* entries).
    I've checked wp-load.php, wp-config.php, funcions.php (...) for malicious code but with no luck.
    Before cleaning up I've tried to disable all of the plugins, to check if the code is inflated from one of them, but nothing changed.

    Result: yesterday I've cleaned up everything and changed FTP&MySQL usernames/passwords... but today the hack is still there!! with 50 new different files spread around my WP installation.

    I'm using WP 3.3.2 with all my plugins updated, and my site is hosted at Dreamhost.

    Does anyone has experienced something like this??
    Thanks

  2. s_ha_dum
    Member
    Posted 2 years ago #

    Replacing the entire installation with clean files is going to be quicker and easier than trying to root out the infection.

    http://codex.wordpress.org/FAQ_My_site_was_hacked

  3. chibijennifer
    Member
    Posted 2 years ago #

    I have the exact same problem as torakiki :( I've worked at it for almost 40 hours now and still can't find a resolution. I've even replaced the entire installation of wordpress, started from scratch, deleted all plugin and themes and downloaded fresh copies. Still not resolved. Malicious files keep being re-added and I'm totally out of ideas.

    Help?
    My site: http://moonsticks.org

    Google: site:moonsticks.org drugs

  4. torakiki
    Member
    Posted 2 years ago #

    Hello chibijennifer,
    s_ha_dum was right: a complete re-installation of WP did the trick

  5. Krishna
    Volunteer Moderator
    Posted 2 years ago #

    @chibijennifer,
    Your problem is here:
    /home/chibijennifermoon/moonsticks.windy-goddess.net/wp-content/themes/ocular-professor/index.php

    You seem to use an outdated theme or infected files are found in your theme files, particularly the above file.

  6. chibijennifer
    Member
    Posted 2 years ago #

    ah...! You might be right! I'm going to delete the theme now...

    Just wondering, how did you find out it was the theme causing the issue? I looked at all the code and it looked fine.

    Thanks very much for the replies! Hopefully this will do the trick.

  7. chibijennifer
    Member
    Posted 2 years ago #

    Unfortunately..the hack is still there despite deleting the whole theme :(

    There's a wp-main.php file that keeps reappearing despite deleting it several times. The file contains the below code:

    [ Please do NOT post 1,362 lines of malware code again. ]

  8. gffb
    Member
    Posted 2 years ago #

    Sucuri SiteCheck report you site as clean?

    Here

  9. chibijennifer
    Member
    Posted 2 years ago #

    Yeah, it comes out clean but I'm 100% sure it's not clean...

  10. chibijennifer
    Member
    Posted 2 years ago #

    Help anyone? Please.. I just deleted off my entire site again today, and uplaoded a fresh new wordpress, plugins, themes..everything. 2 hours later, the hacked file is sitting there all over again...............

    wp-main.php

  11. chibijennifer
    Member
    Posted 2 years ago #

    Unfortunately, I have already gone through all those links you've provided and did everything they have mentioned. Still no fix. Ive been working at this for weeks now and there's just no solution..

  12. gffb
    Member
    Posted 2 years ago #

    Have you asked your host to resert your account,also have you changed ftp and cpanel login details or asked them for any kind of supportt they can help you with on this

  13. chibijennifer
    Member
    Posted 2 years ago #

    Yeah, I've been emailing back and forth with them for weeks now and they haven't been able to clean it up. It also makes it difficult because every correspondence enquiry is answered by a different tech support person :( (fyi, I'm using Dreamhost)

  14. chibijennifer
    Member
    Posted 2 years ago #

    This issue is finally resolved! In the end, my host (dreamhost) end up finding out the cause. As suspected, it was different to the above mentioned links.

    Incase this helps anyone else, this is basically what happened:

    ----------------------

    I set-up a script to monitor for the reappearance of the wp-main.php
    file (a malicious shell script that keeps coming up no matter how many times you delete). It did appear, exactly on the hour. On a hunch, I
    checked your user's cronjobs.

    I found the cause and it was really nasty and clever. The attacker set-up
    a cron job that runs hourly to regenerate that file and two others.

    They stashed their malicious files in an unused logs directory for a
    domain no longer hosted under the user, disguised as outdated
    log files. Every hour they copied the "log" files into place. They didn't
    even need to take any action -- the cron job handled everything.

    ----------------------

  15. adambloomer
    Member
    Posted 1 year ago #

    they stashed their malicious files in an unused logs directory for a
    domain no longer hosted under the user, disguised as outdated
    log files. Every hour they copied the "log" files into place. They didn't
    even need to take any action -- the cron job handled everything.

    Would you be able to explain this a little further - i think i'm experiencing something very similar and have deleted the files a couple of times but they keep coming back. I'm thinking it may be a similar case to what you're experiencing.

    Out of interest what script did you use - or can you pont me to a tutorial or resource to explain to me how to do this.

  16. @adambloomer: This is a seven month-old thread.

    You're best off working your way through these resources and following all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.

    Change all passwords. Scan your own PC. Use http://sitecheck.sucuri.net/ before and after.

    Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

Topic Closed

This topic has been closed to new replies.

About this Topic