Support » Fixing WordPress » "Pharma Hack" nasty variant? Anyone experienced it?

  • torakiki

    (@torakiki)


    Hello there,
    I think one of my WP websites has been hacked with a variant of the infamous “Pharma hack”, which inflates malicious links and content in your site but only when visited by googlebot, affecting sites’s google entry.

    I think that’s a variant because it does something different from the “classic” pharma hack I’ve read about in blogs (eg: http://redleg-redleg.blogspot.it/2011/02/pharmacy-hack.html).
    Here’s the differences I’ve found:

    It does not use things like:

    eval(base64_decode(
    eval(gzinflate(base64_decode(
    eval(gzuncompress(base64_decode(
    eval(gzinflate(str_rot13(base64_decode(

    but instead it spreads a bunch of files (I’ve found 50!) around your WP installation with misleading names:

    /wp-content/plugins/adminimize/css/en_GB.php
    /wp-content/plugins/advanced-custom-fields/core/ojxulg6cg.php
    /wp-content/plugins/advanced-custom-fields/core/fields/log.php
    /wp-content/plugins/advanced-custom-fields/core/fields/date_picker/defines.php
    /wp-content/plugins/advanced-custom-fields/lang/xmlrpc.php
    /wp-content/plugins/ajax-thumbnail-rebuild/index2.php
    /wp-content/plugins/ajax-thumbnail-rebuild/languages/index.php
    /wp-content/plugins/google-xml-sitemaps-v3-for-qtranslate/lang/en_GB.php
    /wp-content/plugins/qtranslate/flags/xmlrpc.php
    /wp-content/plugins/qtranslate/lang/rss.php
    /wp-content/plugins/wp-swfobject/rss.php
    /wp-content/themes/[theme-name]/img/archive.php
    /wp-content/themes/[theme-name]/inc/eula.php
    /wp-content/themes/[theme-name]/inc/json.php
    /wp-content/themes/[theme-name]/js/libs/index.php
    /wp-content/themes/[theme-name]/js/libs/fancybox/baedxjtoc.php
    /wp-content/uploads/2011/10/soap.php
    /wp-includes/js/crop/rss.php
    /wp-includes/js/plupload/mbxk.php
    /wp-includes/js/scriptaculous/de.php
    /wp-includes/js/thickbox/archive.php
    /wp-includes/js/tinymce/plugins/inlinepopups/skins/defines.php
    /wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/notes.php
    /wp-includes/js/tinymce/plugins/media/en.php
    /wp-includes/js/tinymce/plugins/media/js/en_GB.php
    /wp-includes/js/tinymce/plugins/wpdialogs/js/log.php
    /wp-includes/js/tinymce/plugins/wpeditimage/mqz_.php
    /wp-includes/js/tinymce/plugins/wpeditimage/img/rss.php
    /wp-includes/js/tinymce/plugins/wpfullscreen/xmlrpc.php
    /wp-includes/js/tinymce/themes/defines.php
    /wp-includes/js/tinymce/themes/advanced/js/de.php
    /wp-includes/js/tinymce/themes/advanced/js/header.php
    /wp-includes/js/tinymce/themes/advanced/skins/y10ethctea.php
    /wp-includes/js/tinymce/themes/advanced/skins/default/xmlrpc.php
    /wp-includes/js/tinymce/themes/advanced/skins/default/img/eula.php
    /wp-includes/js/tinymce/themes/advanced/skins/highcontrast/en.php
    /wp-includes/js/tinymce/themes/advanced/skins/o2k7/archive.php
    /wp-includes/js/tinymce/themes/advanced/skins/o2k7/defines.php
    /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/en-GB.php
    /wp-includes/js/tinymce/utils/atom.php
    /wp-includes/Text/Diff/Renderer/eula.php

    and all these file has the same structure:
    http://i48.tinypic.com/bjwch.jpg

    This doesn’t seem like base64 encoded code (used by “old” Pharma hack)… any idea? The problem is that I couldn’d find the backdoor anywhere! There must be one somewhere that joins and injects all this code to the website.

    I’ve searched for strange entries in the DB (wp_options table) but all seems clean to me (no rss_* entries).
    I’ve checked wp-load.php, wp-config.php, funcions.php (…) for malicious code but with no luck.
    Before cleaning up I’ve tried to disable all of the plugins, to check if the code is inflated from one of them, but nothing changed.

    Result: yesterday I’ve cleaned up everything and changed FTP&MySQL usernames/passwords… but today the hack is still there!! with 50 new different files spread around my WP installation.

    I’m using WP 3.3.2 with all my plugins updated, and my site is hosted at Dreamhost.

    Does anyone has experienced something like this??
    Thanks

Viewing 15 replies - 1 through 15 (of 16 total)
  • s_ha_dum

    (@apljdi)

    Replacing the entire installation with clean files is going to be quicker and easier than trying to root out the infection.

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    chibijennifer

    (@chibijennifer)

    I have the exact same problem as torakiki 🙁 I’ve worked at it for almost 40 hours now and still can’t find a resolution. I’ve even replaced the entire installation of wordpress, started from scratch, deleted all plugin and themes and downloaded fresh copies. Still not resolved. Malicious files keep being re-added and I’m totally out of ideas.

    Help?
    My site: http://moonsticks.org

    Google: site:moonsticks.org drugs

    torakiki

    (@torakiki)

    Hello chibijennifer,
    s_ha_dum was right: a complete re-installation of WP did the trick

    Krishna

    (@1nexus)

    @chibijennifer,
    Your problem is here:
    /home/chibijennifermoon/moonsticks.windy-goddess.net/wp-content/themes/ocular-professor/index.php

    You seem to use an outdated theme or infected files are found in your theme files, particularly the above file.

    chibijennifer

    (@chibijennifer)

    ah…! You might be right! I’m going to delete the theme now…

    Just wondering, how did you find out it was the theme causing the issue? I looked at all the code and it looked fine.

    Thanks very much for the replies! Hopefully this will do the trick.

    Unfortunately..the hack is still there despite deleting the whole theme 🙁

    There’s a wp-main.php file that keeps reappearing despite deleting it several times. The file contains the below code:

    [ Please do NOT post 1,362 lines of malware code again. ]

    Sucuri SiteCheck report you site as clean?

    Here

    Yeah, it comes out clean but I’m 100% sure it’s not clean…

    Help anyone? Please.. I just deleted off my entire site again today, and uplaoded a fresh new wordpress, plugins, themes..everything. 2 hours later, the hacked file is sitting there all over again……………

    wp-main.php

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Unfortunately, I have already gone through all those links you’ve provided and did everything they have mentioned. Still no fix. Ive been working at this for weeks now and there’s just no solution..

    Have you asked your host to resert your account,also have you changed ftp and cpanel login details or asked them for any kind of supportt they can help you with on this

    Yeah, I’ve been emailing back and forth with them for weeks now and they haven’t been able to clean it up. It also makes it difficult because every correspondence enquiry is answered by a different tech support person 🙁 (fyi, I’m using Dreamhost)

    This issue is finally resolved! In the end, my host (dreamhost) end up finding out the cause. As suspected, it was different to the above mentioned links.

    Incase this helps anyone else, this is basically what happened:

    ———————-

    I set-up a script to monitor for the reappearance of the wp-main.php
    file (a malicious shell script that keeps coming up no matter how many times you delete). It did appear, exactly on the hour. On a hunch, I
    checked your user’s cronjobs.

    I found the cause and it was really nasty and clever. The attacker set-up
    a cron job that runs hourly to regenerate that file and two others.

    They stashed their malicious files in an unused logs directory for a
    domain no longer hosted under the user, disguised as outdated
    log files. Every hour they copied the “log” files into place. They didn’t
    even need to take any action — the cron job handled everything.

    ———————-

    they stashed their malicious files in an unused logs directory for a
    domain no longer hosted under the user, disguised as outdated
    log files. Every hour they copied the “log” files into place. They didn’t
    even need to take any action — the cron job handled everything.

    Would you be able to explain this a little further – i think i’m experiencing something very similar and have deleted the files a couple of times but they keep coming back. I’m thinking it may be a similar case to what you’re experiencing.

    Out of interest what script did you use – or can you pont me to a tutorial or resource to explain to me how to do this.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘"Pharma Hack" nasty variant? Anyone experienced it?’ is closed to new replies.