Pharma Hack - unique affecing only root URL (6 posts)

  1. rjebamalaidass
    Posted 3 years ago #

    Hi Everybody,
    I am struggling with this stuff for months now. I am using wordpress multisite version and is running with around 80 blogs. Around 3 months back, we had a pharma hack and man files had the base64_decode code snippets as a first line.
    I had removed all those code snippets.
    I found the backdoor entry and removed that file.
    Upgraded the server to new version 3.4.2 and upgraded all my plugin.
    Moved my blogs to new server and changed permission to the folders.
    Changed the password.
    Checked through "Fetch through Google" to see if webpage is showing any pharmacy keywords. Ntohing is there.

    Only thing I moved from the old server was the database data. I had exported all the data and moved to the new MySQL Database.

    Now when I run the grep command for base64_decode, I am not able to find hack code.

    Now only my root url looks infected. All other pages are looking good.
    In my access log, I get the following URL getting accessed by search bots.
    http://blogs.luc.edu/index.php?denikik="PHARMACY HACK"&denikikp="SOME_NUMBER".
    I looked all files, changed the wordpress root files, updated plugins. But still the root url looks infected. Even I had changed the themes of my root blog and still the issue exist.
    I am confused, Fed up and frustrated with this.
    Kindly help me in solving this crazy bug. Sorry for being so long.

    With Regards

  2. halferdev
    Posted 3 years ago #

    Couple of things you can try:

    * Use the reinstall feature on your Update Admin page to install 3.4.2 completely
    * Check your .htaccess file, this is a common entry point for hacks
    * See if there is any JS on your home page relating to the hack, this might indicate that the theme has been modified

  3. rjebamalaidass
    Posted 3 years ago #

    Thanks for your reply... I had reinstall wordpress as of now 3 times and have removed the old .htaccess file and have added new ones during the wordpress Install.
    Also, just to make sure there problem is not with the home page theme, I had changed to new default theme (twenty eleven). But still the hack is there...

    This is really pissing me off....

  4. bcworkz
    Posted 3 years ago #

    I think this is the hack that uses a string reversal trick to hide from base64 greps, you need to also grep for 46esab! By now, it may be using a different disguise trick though :(

    I've also heard it keeps a backup of itself in the database, it can restore itself from a small hidden code as soon as the DB connection is made. And another backup in a bogus image file in the uploads folders. The most reliable removal involves a complete wipe, including the DB, and restoring from a clean backup. Since that is more than 3 months ago, this would be very painful.

    I know people have manually cleaned this out successfully, so there is hope. Good luck.

  5. esmi
    Forum Moderator
    Posted 3 years ago #

  6. ReneODeay
    Posted 2 years ago #

    did you ever get rid of the pharma hacks?
    I have the same problems on one of my WordPress blogs, and have spent months of futile efforts going thru every single one of those solutions posted above.
    and it is still there, seems even worse now too.

Topic Closed

This topic has been closed to new replies.

About this Topic