Help needed deleting Pharma hack from database

  • sidea

    (@sidea)


    9 years ago

    Hi all,

    I’d really appreciate some help getting rid of some rogue files from my database.

    I originally was informed by my host that they had taken my site offline due to malicious files. I performed all the usual necessary measures and found that I had various problems with my plugins – in this case nextgen.

    I performed a full reinstall of WP, changed passwords, deleted all plugins and began the laborious task of righting the site.

    But when a few days later I came back to it, the rogue plugins had mysteriously reinstalled and once again I had a database connection error. I deleted the plugins again, got back into the site and the same thing happened next time.

    After much Googling I ascertained that it is the pharma hack, which apparently loads rogue files in wp_options in my DB. I have tried searching for all the recommended “option_name” hack files but came-up empty. I then went through my table page by page and found literally hundreds of files named “displayed_gallery_rendering_cc5c2d697677a72d9420d351ce305297” or similar.

    To be honest, I’m a little out of my depth in PHPMyAdmin so I don’t feel comfortable randomly deleting rows, but I do really need to fix this.

    Is there any way that I can clean my DB without causing any more harm to my ‘good’ files?

    Any help much appreciated.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    9 years ago

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    wslade

    (@wslade)

    9 years ago

    I am sorry to hear that your site is damaged. I understand the desire to put a name on an issue so as to better understand it. However, relying on the type of hack to tell you anything about how to fix it can sometimes lead to unhelpful assumptions. Since very few sites have exactly the same themes and plugins, the same hacking algorithm will almost surly have a different outcome on different sites.

    It seems you have already done much of what James is suggesting. And you have done more to clean the database than most people can or are willing to attempt.

    The fact that you found no malware in the database makes me feel that your issue may still be in your site files. You did not mention replacing your theme with a fresh new install? I suggest you do so if you haven’t yet. And deleting any unused themes, other than one you keep updated should you need it for testing.

    Are there any other programs installed in the same root as your WordPress? Examples are forums and the like.

    You said you deleted and reinstalled your Plugins. Did you delete all the WordPress files except for the wp-content directory and wp-config.php file before installing your fresh core files?

    Have you used any server side scanning plugins to look for malware?

    Likely much of this seems redundant after all your efforts. But I have found the odds of your source of malware being in the database is very low.

    If you are willing to give your site another look, I’ll be happy to help.

    Thread Starter sidea

    (@sidea)

    9 years ago

    I’m sorry, but obviously I wasn’t clear. I deleted everything in my root folder and started again from scratch, however no matter how many times I did this, the malicious files kept reappearing, so I have deduced that the virus is in my DB.

    I have followed all other protocols – passwords changed etc, but I still have the problem of deleting the nasty little buggers hiding amongst my WP_Options files.

    My question is, how do I find rogue files in my wp_options table using phpmysql?

    Another question would be: what is the worst case scenario if I merrily delete what looks malicious and in doing so delete some authentic files?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    9 years ago

    how do I find rogue files in my wp_options table using phpmysql?

    Well, your database doesn’t actually contain files, it’s the database. It’s unlikely that the database itself is corrupt, most likely the infection is elsewhere and you’ve just been treating the symptoms.

    Did you follow everything at https://codex.wordpress.org/FAQ_My_site_was_hacked it covers the most common vectors, so you have to do everything detailed there to be sure you got it all.

    what is the worst case scenario if I merrily delete what looks malicious and in doing so delete some authentic files?

    Worst case? You lose absolutely everything.

    Just make sure you have a backup to fall back on: https://codex.wordpress.org/WordPress_Backups

    Thread Starter sidea

    (@sidea)

    9 years ago

    James,

    I believe that I have this hack.

    Everything in the WP root folder has been replaced. Passwords have been changed. I have done everything that one would usually do, but the hack just comes back, so having read a lot of forum posts, I have concluded rightly or wrongly that the hack must be hiding in my database and reinstalling itself when I reinstall WP.

    I have searched for these option names, but none of them come up:

    wp-options -> class_generic_support
    wp-options -> widget_generic_support
    wp-options -> wp_check_hash
    wp-options -> rss_7988287cd8f4f531c6b94fbdbc4e1caf
    wp-options -> rss_d77ee8bfba87fa91cd91469a5ba5abea
    wp-options -> rss_552afe0001e673901a9f2caebdd3141d

    However there are very many of files like this:

    “displayed_gallery_rendering_cc5c2d697677a72d9420d351ce305297” or similar.

    And because my original hack came-in via an infected NextGen plugin, I am assuming that these “options” are causing my problem.

    Any help?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    9 years ago

    There are many different types of hacks that are all similar.

    Since you have done everything to clear out the classic Pharma hack, and it’s continuing to return, it’s probably best to start by accepting that’s not the type of hack you have. πŸ˜‰

    Did you follow everything at https://codex.wordpress.org/FAQ_My_site_was_hacked it covers the most common vectors, so you have to do everything detailed there to be sure you got it all.

    Thread Starter sidea

    (@sidea)

    9 years ago

    Ok, maybe I’m looking for a solution on the wrong forum!

    Really with the canned responses!!!

    I was hoping for some phpmysql ideas, since the hack is almost definitely being triggered at the database side of things.

    Clearly I haven’t:

    done everything to clear out the classic Pharma hack

    I have repeatedly asked for assistance on HOW to do it.

    I will strip out the content from my hacked file – using the brief window I get before the virus reinstalls and build it from scratch.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    9 years ago

    I’m sorry you are having a hard time of it. Having your site compromised is the worst.

    Ok, maybe I’m looking for a solution on the wrong forum!

    No, you’re in the right place.

    I have repeatedly asked for assistance on HOW to do it.

    There is no HOW to do it. Honest.

    Each hack really is different and delousing your installation is a lengthy and manual tedious process. It has to be done by hand and your web server needs close scrutiny as well.

    I suggest you start with this one.

    http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

    There is no step-by-step other than what is posted in these articles. Yes, it is a copy and paste reply but it’s all that can be offered here.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

    If that does not work for you (and that’s fully understandable) then please consider hiring someone.

    http://jobs.wordpress.net/

    Delousing your site may be something you want to consider outside of these forums.

    Thread Starter sidea

    (@sidea)

    9 years ago

    Thanks for all your assistance. I know that you are only trying to help.

    I have de-virused quite a few sites in my time, but none that infected the DB!

    In this instance as it is only a small site (and not even my own, I’m helping a friend) I will strip-out all the text content and re-build it on an entirely new install.

    I will also install for her some essential WP Security protocols, including regular back-ups.

    Love WordPress | Hate hackers

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    9 years ago

    I will strip-out all the text content and re-build it on an entirely new install.

    If that’s the approach you want to pursue, I’d recommend just exporting/importing via the Tools section of your blogs’ Dashboards.

    That just moves content, so no sort of active infection or compromised file will be transferred.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Help needed deleting Pharma hack from database’ is closed to new replies.

Tags