Pharma hack, how to use SSH? (8 posts)

  1. puifon
    Posted 2 years ago #

    I've noticed that when i search for my website on google my meta description for most my posts are being shown as: Play games in casinos online to win hefty prizes, you will definitely love to win more. Choose always the legal and casino no deposit bonus to enjoy playing.

    Meta description as displayed on google: http://goo.gl/30Kv9T

    website: http://www.puifonluong.com

    I have posted about this before and I think it is similar to the pharma hack that i've been reading about, or it probably is. it was suggested to perform grep commands via SSH
    to find the below

    #grep -irl "sn8up6" ./*


    #grep -irl "casino" ./*

    I am unsure of how to use SSH, to do these commands so could anyone give me any advice before I enable my SSH, also my host is asking for a photocopy of a utility bill, or either a photocard driving license or photo page of passport , is this normal to ask for when asking for SSH access? I dont know if I feel comfortable emailing these documents.

    I have thought about paying for this to be removed via sucuri but I cant pay for one time jobs. Does anyone know how I can do remove this, I am nervous to delete or reinstall anything, also because I need this website to be submitted as part of my assessment soon at university, so do not want to mess anything up. If I do reinstall everything and export the WordPress XML file of my posts from the site, is it possible any malicious code could be in there?

    Does this hack affect anything else apart from the meta descriptions, I have seen the casino related descriptions before a few months before and thought nothing of it until now, any advice on what to do?

  2. Learning to use SSH is a little outside the norm of help given here.


    That has some directions.

    grep is a search tool, it doesn't delete or edit anything (which you can google to learn about that too).

  3. puifon
    Posted 2 years ago #

    Thanks, I have contacted my host to see if they can remove it for me, waiting for a reply.

  4. Rijo Abraham
    Posted 2 years ago #

    If it is a plugin which is adding malicious code on your website then you must disable all plugins and check if the code is still present through source code check. Let us know that as well.

  5. Rijo, Pharma is a hack that came in through a plugin but infects the database, so it's harder than most to fix :/

  6. puifon
    Posted 2 years ago #

    I went through my plugins, deactivating all then activating one by one to see when the code would appear and I think it is in the Tumblr Photoset Like Gallery for WordPress plugin, so what shall I do now to fix? I would still like to use this plugin? I just tried reinstalling the plugin, but it is still there, so unsure what to do now, guess next best thing is to wait for my host to reply.

Topic Closed

This topic has been closed to new replies.

About this Topic