pharma hack (12 posts)

  1. evaneckard
    Posted 4 years ago #

    I've been hit with this "pharma hack" going around. (see http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php) for details.

    Anyhow, I've done all I can to get rid of this thing, yet the rogue plugin files and database entries keep appearing. Within the _options table row, 3 entries will consistently appear no matter how many times I delete them. "wp_check_hash", "class_generic_support" & a malicious rss entry. Somehow these entries write malicious files into random plugin folders that have "ext-", "db-" or "class-" appended to them.

    No matter how many times I delete them, they keep coming back. I've increased all of the security I can, and have all permissions set to where they should be. This is obviously an exploit of the wordpress install.

    Has anyone figured out how to clean this thing out for good?

  2. evaneckard
    Posted 4 years ago #

    The plugin files that this exploit write look like this:

    [Code moderated as per the Forum Rules. Please use the pastebin]

  3. evaneckard
    Posted 4 years ago #

    This file appeared as "ext-akismet.php"

  4. Carefully follow this guide:


    When you're done, implement some (if not all) of the recommended security measures:


  5. evaneckard
    Posted 4 years ago #

    Short of deleting everything, I have already followed both of those articles and it's no help.

    This has to be a hole in wordpress itself, i'm assuming poor security in one of the core files.

  6. esmi
    Forum Moderator
    Posted 4 years ago #

  7. evaneckard
    Posted 4 years ago #

    Yes, I've followed those as well - no dice.

  8. Have you changed your FTP password yet? One of the theories is that malware is intercepting or has intercepted the FTP password (which is sent in the clear), providing easy access to your server.

  9. james9
    Posted 4 years ago #

    I also tried all above tricks and still the spammers return. I do have some nice variations of the akismet pharma hacks if you want to research this exploit (currently 5 versions). just message me lifesizedATgmail if you want to get the files. I scanned my machine for malware and found a few pieces. removed it. Cleaned my computer completely. Then i changed my FTP username/pwd and woke up the following morning with spam firing on all cyclinders still. I have to give the spammers credit. Whatever they are doing is pretty smart stuff and i also was guilty of sloppy wp updating for a while.

  10. chakani
    Posted 4 years ago #

    Have you tried changing your .htaccess file? See this post:

    "Top 5 WordPress Security Tips You Most Likely Don’t Follow":


    NOTE: See my post at bottom of that page.

    Note 2: Your link "http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php" is already 404.

  11. Daniel Cid
    Sucuri.net Support
    Posted 4 years ago #

    I posted about this pharma hack here:


    It seems that you forgot to remove the backdoor being used to give the attackers access to your system. I as said in the post, searching only for eval(base64_decode is not enough, since they are hiding it now too. If you do not remove it, they will re-infect your site every so often..


  12. rubytuesday
    Posted 4 years ago #

    Hello all, where are you hosting? Search the forum for "Pharma" and "Dreamhost" - there are at least two Dreamhost clients reporting the same clean/re-infection problem (me being one of them).

Topic Closed

This topic has been closed to new replies.

About this Topic