Title: Pharma Hack Last modified: August 30, 2016 --- # Pharma Hack * [David LeBlanc](https://wordpress.org/support/users/davidtleblanc/) * (@davidtleblanc) * [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/) * I learned a site I am running has the Pharma hack. I found the php string used in a file called wp-hloper.php in directory. It was the reverse base64_decode version. I removed it. * That’s half the problem solved * The other half is finding the database entry for this script in wp-options. I have searched myPHPAdim for the usual names I have found in any number of articles and no luck. * It’s possible the database names used have changed(most of the article I read are from aroung 2010 or earlier) and I hope someone here can point me in the right direction or has had experience with this hack recently. Viewing 7 replies - 1 through 7 (of 7 total) * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/#post-6470810) * Remain calm and carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked). When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress). * Thread Starter [David LeBlanc](https://wordpress.org/support/users/davidtleblanc/) * (@davidtleblanc) * [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/#post-6470822) * James, * Thanks for the reply and links (which I have read), but I assure you I am calm, if a bit tired and frustrated. * I have done everything I am supposed to do to rid the site of the Pharma Hack, save one. I can’t find the string in the options table. It is there somewhere. * I have always been fastidious about keeping the core, themes and plugins updated. I have changed passwords for everything. I have contacted GoDaddy about this ( good luck was their reply, more or less and I have seen that sites on GoDaddy were exposed to some vulnerabilities in my research) and spent a lot of time finding the cursed script looking in all of the suggested places. Found a neat little script that located it for me. * My one lone task remaining is finging where this thing’s entry is in the database. That I cannot locate. Suggest search terms I have read to tfing this in the DB were all negative. I wondered if anyone else has/had a similar issue and solved it. * Any thoughts about finding it in the database will be welcome. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/#post-6470829) * I haven’t had to clear one of these up in years, so if it’s not covered by the guide, I’m afraid I’m not sure where to look next. * There are several paid WordPress services that specialize in hack cleanup. I have used [https://sucuri.net/](https://sucuri.net/) before with great success. * There’s also [http://jobs.wordpress.net/](http://jobs.wordpress.net/) or [http://directory.codepoet.com/](http://directory.codepoet.com/) where you can hire someone with expertise in this (do not accept any hire offers posted to these forums). * Thread Starter [David LeBlanc](https://wordpress.org/support/users/davidtleblanc/) * (@davidtleblanc) * [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/#post-6470834) * James,thanks for the reply. * The hack is covered by the guide. I understand the steps to take. I have found removed the PHP script. It’s just finding what the strings are related to this hack in the database. If I can find those, life is good. I am close and I want to finish it. * What I find interesting is that I routinely checked with Surcri to look for malware. In researching this thing, they admit it’s something their security software can’t find. That’s not real comforting that this hack has been going on for years, coming up to a decade, and finding it still eludes malware security software. The article I referenced from Surcuri was written several years ago, but I would assume that it would be updated if things changed. They have not, apparently. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/#post-6470836) * It probably eludes their tool because their tool can’t access your database, it can only scan the front-facing portion of your site. 🙂 * Thread Starter [David LeBlanc](https://wordpress.org/support/users/davidtleblanc/) * (@davidtleblanc) * [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/#post-6470839) * James, * Good point, but `strrev` in a line of code is a very red flag, I would think. From what I have read (my php skills are weak at best) it’s used for almost nothing else except for mischief. * I did learn that `base64_decode` is legitimately used in a lot of themes and plugins, but `eval` is another obvious red flag. * Then again, what do I know? * Thanks again for the response. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/#post-6470841) * strrev is legitimate, it just reverses a string, not really a sign of a compromise: [http://php.net/manual/en/function.strrev.php](http://php.net/manual/en/function.strrev.php) Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘Pharma Hack’ is closed to new replies. ## Tags * [pharma hack](https://wordpress.org/support/topic-tag/pharma-hack/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 7 replies * 2 participants * Last reply from: [James Huff](https://wordpress.org/support/users/macmanx/) * Last activity: [10 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-4/#post-6470841) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics