Hit by new pharma hack?

bostontom
(@bostontom)

12 years, 1 month ago

So I was hit by the infamous pharma/viagra hack. The injected content is showing up under the header tag on serveral pages. My site is http://www.sugarmesweetbakers.com

I’ve done a week’s worth of research and followed advice from several websites but have yet to resolve the issue. I’d really rather not wipe, hoping I can locate and remove the malware code but have had zero luck thus far. What I’ve done:

-Searched for the base64 jibberish
-Ran the queries to clean the wp_options table mentioned here (http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php)
-Searched for rogue .php files mentioned on several fix sites

The only thing I’ve found is a rogue index.php file in my wp-content/uploads folder which had very little code in it. I deleted it and even restricted access to the uploads folder so nothing more can be uploaded.

Still the viagra malware lives on. If anyone can take a look at this? I’m at the end of my whits, and after all this research genuinely curious where this rogue code is sitting. Thanks

Viewing 3 replies - 1 through 3 (of 3 total)

Krishna
(@1nexus)

12 years, 1 month ago

You need to start working your way through these resources:

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thread Starter bostontom
(@bostontom)

12 years, 1 month ago

Thanks for your quick reply. I hate to be a pain but I’ve literally been through each one of those, and several other help sites. None of the advice has resolved my issue. I’m wondering if my infection is the result of some new hack? Something not published yet?

I know I could wipe my site and start with a new installation but I’d really rather put at least a few more days into tracking down the malicious code before giving up.

If anyone can take a peak, I’d really appreciate it. Thanks again.

vtxyzzy
(@vtxyzzy)

12 years, 1 month ago

Not really sure it is the same hack, but one of my sites was recently hit with something that sounds similar.

The functions.php file was altered by adding a new function that had a lot of encoded data, but no base64_decode. It simply returned the encoded string.

In the wp-admin folder, was a file titled admin-xxxxx-xxx.php (name disguised). It contained a call to strrev() which reversed a backwards string calling the function and passing the results through base64_decode. That made the base64_decode appear as edoced_46esab.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Hit by new pharma hack?’ is closed to new replies.

Hit by new pharma hack?

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics