Title: Pharma Hack
Last modified: September 10, 2019

---

# Pharma Hack

 *  Resolved [Brisch](https://wordpress.org/support/users/brisch/)
 * (@brisch)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/)
 * Hi there!
 * The Website above was one of many (same provider) hacked with the “Pharma Hack”(
   [https://www.malcare.com/blog/what-is-pharma-hack-how-to-clean-it/](https://www.malcare.com/blog/what-is-pharma-hack-how-to-clean-it/))
 * On all pages and posts you could see a JavaScript at the beginning and at the
   end and in the middle a french text selling viagra.
 * How is it possible, that the website was hacked even I use Wodfence? Wordfence
   showed me, that files changed when I logged in but did not block the change. 
   WHY?
 * Kind regards, Brisch
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fpharma-hack-5%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 10 replies - 1 through 10 (of 10 total)

 *  [WFGerroald](https://wordpress.org/support/users/wfgerald/)
 * (@wfgerald)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-11917775)
 * Hey [@brisch](https://wordpress.org/support/users/brisch/),
 * Wordfence protects against a wide variety of attacks. Whether you were hacked
   because of an unknown attack method or because there is some other issue in your
   system is hard to say. Some plugins contain vulnerabilities that are so bad that
   Wordfence can’t protect against them. The same goes for servers.
 * Regarding how they gained entry, here are some possible scenarios:
 * Are there other sites hosted on the same hosting account? If so, they could have
   been infected and spread the infection to this site.
 * You may be using a plugin or theme with a vulnerability that is so severe that
   we cannot protect against it.
 * Your wp-config.php file is readable to the hacker, either directly via your account,
   via a vulnerable plugin or another hacked site on the same server.
 * The hosting accounts on the server are not adequately isolated on the server,
   so the hacker has access to your database via another user’s database.
 * The server software has vulnerabilities that allow the hacker to get root access
   
   You were actually hacked many months ago, but the backdoor was not activated 
   until now.
 * Here’s a guide that may help you clean the site. However, if you’re not comfortable
   with this or the site becomes reinfected I’d suggest reaching out to a professional
   hack repair service to have the site professionally cleaned and patched.
 * [https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/)
 * Thanks,
 * Gerroald
 *  [amazonsk](https://wordpress.org/support/users/amazonsk/)
 * (@amazonsk)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-11926759)
 * Same here, wordfence didn’t block and till now I couldn’t find any files with
   malicious code, only altered the database entries in wp_post. Wordfence recognised
   a SEO Hack in the caching files from WP_Total_Cache, but nowhere else.
 * the Javascript code at the beginning of the content looks like (function names
   are different in each entry):
 * <script type=”text/javascript”> function style_array_chunk73() { return “none”}
   function end73_() { document.getElementById(”rzd73”).style.display = style_array_chunk73()}
   </script>
 * The french spam is in div tags with an title or an id
 * at the end of the content the script looks like this:
 * <script type=”text/javascript”> end73_() </script>
 * Didn’t find anything via google about this.
 *  [amazonsk](https://wordpress.org/support/users/amazonsk/)
 * (@amazonsk)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-11927116)
 * Seems that the htaccess file is affected, there are several links in the french
   text to “harmless” websites, which are forwarded to [https://secure-rx-market.net/product/viagra.html?track=sol](https://secure-rx-market.net/product/viagra.html?track=sol)
 * had an issue with my htaccess-File but unfortunately changed it via Permalink-
   Update, so I can’t check this.
 *  Thread Starter [Brisch](https://wordpress.org/support/users/brisch/)
 * (@brisch)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-11927958)
 * Hi amazonsk, I did this against the virus and it worked so far:
    I use “All in
   one WP migration” and I had a backup from 3 week before. I used this and reinstalled
   everything. Until now I can’t see any infection.
 * But the provider sent an email yesterday that over 100 websites (WordPress, Joomla,
   Typo3) have been infected and he will do an backup and reinstall the websites
   for free. But the provides could not tell me – so far – where the infection comes
   from.
 * What I learned: do backups and use them. Only thing: I dad to buy the backup 
   because it is only free until 512MB. Good luck!
 *  [mike2019](https://wordpress.org/support/users/mike2019/)
 * (@mike2019)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-11954823)
 * Hi Brisch,
    i have the same problem. Did you find find out how it’s possible?———-
   Hallo, ich habe das selbe Problem. Hast du die Ursache herausgefunden?
 * Nachtrag:
    Ich bin beim selben Hoster. Wahrscheinlich lag es daran.
 * lg
    Mike2019
    -  This reply was modified 6 years, 6 months ago by [mike2019](https://wordpress.org/support/users/mike2019/).
 *  Thread Starter [Brisch](https://wordpress.org/support/users/brisch/)
 * (@brisch)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-11954934)
 * Lieber Mike,
 * ich habe folgendes herausgefunden: Es betraf Websites auf Basis von WordPress,
   Joomla und Tyo3. Im Web stand ein Artikel, dass es auch Drupal betreffen kann.
 * Der übliche Webspace bei einem Provider ist ja ein “Shared Host” und dieser Virus
   kann irgendwo einen Eingang gefunden haben und ist dann über den Server zu anderen
   Domains und Websites gekommen.
 * Bei der Website habe ich das Problem folgendermaßen gelöst: Ich hatte eine Sicherung
   von “All in One WP Migration” und habe (weil Website 2GB) die Vollversion gekauft
   und eine frühere Version der Website wieder hergestellt.
 * Edis selbst hat ja angeboten gratis eine Sicherungskopie der Website vom 6.9.
   gratis wieder herzustellen. Aber erst Tage später, da hatte ich das Plugin schon
   gekauft.
 * Es ist aus meiner Sicht der Provider. Edis. der seien Server schlecht abgesichert
   hat. Und auch nciht das erste mal, ich wurde als Webdesignerin engagiert weil
   Edis schon im Februar ein Problem hatte und die Website (damals Typo3) gehacked
   wurde und es nciht möglich war sie wieder herzustellen.
 * Hilft die Antwort? LG Brisch
 *  Thread Starter [Brisch](https://wordpress.org/support/users/brisch/)
 * (@brisch)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-11954939)
 * Es hat (laut Edis) hunderte Websites am dortigen Server betroffen.
 *  [mike2019](https://wordpress.org/support/users/mike2019/)
 * (@mike2019)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-11958010)
 * Hallo,
    ja, deine Antwort hilft mir sehr. Ich betreibe 5 Webseiten. 4 mit WordPress
   davon 3 in Wien, 1 in Deutschland. Die 3 WordPress Seiten in Wien waren alle 
   betroffen. Ich hatte zuerst das Theme oder ein Plugin in Verdacht und habe den
   php-Code und die Datenbank durchsucht, aber nichts gefunden. Ich habe den Schadcode
   händisch gelöscht und hoffe, dass sowas nicht mehr vorkommt.
 * LG
    Mike
 *  [WFGerroald](https://wordpress.org/support/users/wfgerald/)
 * (@wfgerald)
 * [6 years, 5 months ago](https://wordpress.org/support/topic/pharma-hack-5/#post-12017892)
 * Hi,
 * We haven’t heard back from you in a while, so I’ve gone ahead and marked this
   thread as resolved.
 * Please feel free to open another thread if you’re still having issues.
 * Thanks,
 * Gerroald
 *  [drake7](https://wordpress.org/support/users/drake7/)
 * (@drake7)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/pharma-hack-5/#post-12472915)
 * Hey [@mike2019](https://wordpress.org/support/users/mike2019/), did the malicious
   code reappear?

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Pharma Hack’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [pharma hack](https://wordpress.org/support/topic-tag/pharma-hack/)
 * [viagra](https://wordpress.org/support/topic-tag/viagra/)

 * 10 replies
 * 5 participants
 * Last reply from: [drake7](https://wordpress.org/support/users/drake7/)
 * Last activity: [6 years, 1 month ago](https://wordpress.org/support/topic/pharma-hack-5/#post-12472915)
 * Status: resolved