Title: pharma hack
Last modified: August 19, 2016

---

# pharma hack

 *  [evaneckard](https://wordpress.org/support/users/evaneckard/)
 * (@evaneckard)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/)
 * I’ve been hit with this “pharma hack” going around. (see [http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php](http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php))
   for details.
 * Anyhow, I’ve done all I can to get rid of this thing, yet the rogue plugin files
   and database entries keep appearing. Within the _options table row, 3 entries
   will consistently appear no matter how many times I delete them. “wp_check_hash”,“
   class_generic_support” & a malicious rss entry. Somehow these entries write malicious
   files into random plugin folders that have “ext-“, “db-” or “class-” appended
   to them.
 * No matter how many times I delete them, they keep coming back. I’ve increased
   all of the security I can, and have all permissions set to where they should 
   be. This is obviously an exploit of the wordpress install.
 * Has anyone figured out how to clean this thing out for good?

Viewing 11 replies - 1 through 11 (of 11 total)

 *  Thread Starter [evaneckard](https://wordpress.org/support/users/evaneckard/)
 * (@evaneckard)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519163)
 * The plugin files that this exploit write look like this:
 * _[Code moderated as per the [Forum Rules](http://wordpress.org/support/topic/68664).
   Please use the [pastebin](http://wordpress.pastebin.com)]_
 *  Thread Starter [evaneckard](https://wordpress.org/support/users/evaneckard/)
 * (@evaneckard)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519164)
 * This file appeared as “ext-akismet.php”
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519174)
 * Carefully follow this guide:
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
 * When you’re done, implement some (if not all) of the recommended security measures:
 * [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
 *  Thread Starter [evaneckard](https://wordpress.org/support/users/evaneckard/)
 * (@evaneckard)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519323)
 * Short of deleting everything, I have already followed both of those articles 
   and it’s no help.
 * This has to be a hole in wordpress itself, i’m assuming poor security in one 
   of the core files.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519324)
 * [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   
   [http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/](http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/)
 * The back door could be anywhere on the server.
 *  Thread Starter [evaneckard](https://wordpress.org/support/users/evaneckard/)
 * (@evaneckard)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519340)
 * Yes, I’ve followed those as well – no dice.
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519369)
 * Have you changed your FTP password yet? One of the theories is that malware is
   intercepting or has intercepted the FTP password (which is sent in the clear),
   providing easy access to your server.
 *  [james9](https://wordpress.org/support/users/james9/)
 * (@james9)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519443)
 * I also tried all above tricks and still the spammers return. I do have some nice
   variations of the akismet pharma hacks if you want to research this exploit (
   currently 5 versions). just message me lifesizedATgmail if you want to get the
   files. I scanned my machine for malware and found a few pieces. removed it. Cleaned
   my computer completely. Then i changed my FTP username/pwd and woke up the following
   morning with spam firing on all cyclinders still. I have to give the spammers
   credit. Whatever they are doing is pretty smart stuff and i also was guilty of
   sloppy wp updating for a while.
 *  [chakani](https://wordpress.org/support/users/chakani/)
 * (@chakani)
 * [15 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519461)
 * Have you tried changing your .htaccess file? See this post:
 * “_Top 5 WordPress Security Tips You Most Likely Don’t Follow”_:
 * [http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow](http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow)
 * NOTE: See my post at bottom of that page.
 * Note 2: Your link “[http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php&#8221](http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php&#8221);
   is already 404.
 *  [Daniel Cid](https://wordpress.org/support/users/ddsucurinet/)
 * (@ddsucurinet)
 * [15 years, 10 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519512)
 * I posted about this pharma hack here:
 * [http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html](http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html)
 * It seems that you forgot to remove the backdoor being used to give the attackers
   access to your system. I as said in the post, searching only for eval(base64_decode
   is not enough, since they are hiding it now too. If you do not remove it, they
   will re-infect your site every so often..
 * thanks,
 *  [rubytuesday](https://wordpress.org/support/users/rubytuesday/)
 * (@rubytuesday)
 * [15 years, 5 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519543)
 * Hello all, where are you hosting? Search the forum for “Pharma” and “Dreamhost”–
   there are at least two Dreamhost clients reporting the same clean/re-infection
   problem (me being one of them).

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘pharma hack’ is closed to new replies.

## Tags

 * [exploit](https://wordpress.org/support/topic-tag/exploit/)
 * [pharma](https://wordpress.org/support/topic-tag/pharma/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 11 replies
 * 7 participants
 * Last reply from: [rubytuesday](https://wordpress.org/support/users/rubytuesday/)
 * Last activity: [15 years, 5 months ago](https://wordpress.org/support/topic/pharma-hack/#post-1519543)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics