[Resolved] New Variant of the Pharma Hack
I’m just reporting on a new variant of the Pharma Hack that I’m just finishing cleaning up. It has the same result (poisoning your google results with pharma ads) as the other variants I’ve seen described on the internet, but it works in a different way. If I had followed the removal directions that have been published out there, I never would have found it.
From what I gathered, it edited my general-template.php file in wp-includes. It added a line of code to include a file in my maildir/tmp folder. Also in the maildir/tmp folder were a bunch of other folders filled with files that held the offending pharma ad content. Please note that all of this is outside the wordpress directory.
I’ve gone over my database pretty closely, and I cannot find any modifications there.
If I learn anything else about this bug I’ll post up.
I still don’t know how they got in in the first place. All my software is up to date, and I have taken many of the standard steps to harden my wordpress installation. Yet I was still hacked.
Be careful out there. I haven’t found anyone else documenting this attack vector. The black hats are always innovating.
- The topic ‘[Resolved] New Variant of the Pharma Hack’ is closed to new replies.