"Pharma Hack" nasty variant? Anyone experienced it?
I think one of my WP websites has been hacked with a variant of the infamous “Pharma hack”, which inflates malicious links and content in your site but only when visited by googlebot, affecting sites’s google entry.
I think that’s a variant because it does something different from the “classic” pharma hack I’ve read about in blogs (eg: http://redleg-redleg.blogspot.it/2011/02/pharmacy-hack.html).
Here’s the differences I’ve found:
It does not use things like:
eval(base64_decode( eval(gzinflate(base64_decode( eval(gzuncompress(base64_decode( eval(gzinflate(str_rot13(base64_decode(
but instead it spreads a bunch of files (I’ve found 50!) around your WP installation with misleading names:
/wp-content/plugins/adminimize/css/en_GB.php /wp-content/plugins/advanced-custom-fields/core/ojxulg6cg.php /wp-content/plugins/advanced-custom-fields/core/fields/log.php /wp-content/plugins/advanced-custom-fields/core/fields/date_picker/defines.php /wp-content/plugins/advanced-custom-fields/lang/xmlrpc.php /wp-content/plugins/ajax-thumbnail-rebuild/index2.php /wp-content/plugins/ajax-thumbnail-rebuild/languages/index.php /wp-content/plugins/google-xml-sitemaps-v3-for-qtranslate/lang/en_GB.php /wp-content/plugins/qtranslate/flags/xmlrpc.php /wp-content/plugins/qtranslate/lang/rss.php /wp-content/plugins/wp-swfobject/rss.php /wp-content/themes/[theme-name]/img/archive.php /wp-content/themes/[theme-name]/inc/eula.php /wp-content/themes/[theme-name]/inc/json.php /wp-content/themes/[theme-name]/js/libs/index.php /wp-content/themes/[theme-name]/js/libs/fancybox/baedxjtoc.php /wp-content/uploads/2011/10/soap.php /wp-includes/js/crop/rss.php /wp-includes/js/plupload/mbxk.php /wp-includes/js/scriptaculous/de.php /wp-includes/js/thickbox/archive.php /wp-includes/js/tinymce/plugins/inlinepopups/skins/defines.php /wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/notes.php /wp-includes/js/tinymce/plugins/media/en.php /wp-includes/js/tinymce/plugins/media/js/en_GB.php /wp-includes/js/tinymce/plugins/wpdialogs/js/log.php /wp-includes/js/tinymce/plugins/wpeditimage/mqz_.php /wp-includes/js/tinymce/plugins/wpeditimage/img/rss.php /wp-includes/js/tinymce/plugins/wpfullscreen/xmlrpc.php /wp-includes/js/tinymce/themes/defines.php /wp-includes/js/tinymce/themes/advanced/js/de.php /wp-includes/js/tinymce/themes/advanced/js/header.php /wp-includes/js/tinymce/themes/advanced/skins/y10ethctea.php /wp-includes/js/tinymce/themes/advanced/skins/default/xmlrpc.php /wp-includes/js/tinymce/themes/advanced/skins/default/img/eula.php /wp-includes/js/tinymce/themes/advanced/skins/highcontrast/en.php /wp-includes/js/tinymce/themes/advanced/skins/o2k7/archive.php /wp-includes/js/tinymce/themes/advanced/skins/o2k7/defines.php /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/en-GB.php /wp-includes/js/tinymce/utils/atom.php /wp-includes/Text/Diff/Renderer/eula.php
and all these file has the same structure:
This doesn’t seem like base64 encoded code (used by “old” Pharma hack)… any idea? The problem is that I couldn’d find the backdoor anywhere! There must be one somewhere that joins and injects all this code to the website.
I’ve searched for strange entries in the DB (wp_options table) but all seems clean to me (no rss_* entries).
I’ve checked wp-load.php, wp-config.php, funcions.php (…) for malicious code but with no luck.
Before cleaning up I’ve tried to disable all of the plugins, to check if the code is inflated from one of them, but nothing changed.
Result: yesterday I’ve cleaned up everything and changed FTP&MySQL usernames/passwords… but today the hack is still there!! with 50 new different files spread around my WP installation.
I’m using WP 3.3.2 with all my plugins updated, and my site is hosted at Dreamhost.
Does anyone has experienced something like this??
- The topic ‘"Pharma Hack" nasty variant? Anyone experienced it?’ is closed to new replies.