the-deuce.jpg

How to Diagnose and Remove the WordPress Pharma Hack

A few weeks ago, I started receiving tweets and emails from people who claimed that search results for my site were looking more like a pharmacy than a helpful Web resource.

Of course, upon hearing such blasphemy, I immediately opened a new browser tab, looked around to make sure no one was watching, and then started Googling myself…and if you think that is some NC-17 material, wait til you see what my search results looked like:

Google search results showing the WordPress pharma hack

Figure 1. The three red arrows highlight <title> tags that were cloaked by the WordPress pharma hack. Helpful Web guy or reckless pill-slinger? You decide :D

What you don’t see in the picture above is a hacked <title> tag for my home page, but that’s only because I fixed it before realizing I was going to write an article about these shenanigans.

Suffice it to say that, before I caught the hack, my site looked more like the best damn antidepressant resource than the best damn blog on the planet.

Enough of that, though—let’s dig a little deeper into the WordPress pharma hack and see what it’s all about.

What Does the WordPress Pharma Hack Do?

There are three facets of the pharma hack that I find particularly interesting. First, the results of the hack are only visible to search engines, and if your site is hacked, the public-facing portion of it will remain visibly unaffected. In other words, you won’t be able to spot the hack just by viewing the HTML source. The goal of any hack like this is to gain valuable links from high-ranking pages, and these hackers have wisely chosen to disturb the water as little as possible while going about their dirty business.

Second, like other hacks, the pharma hack must place malicious files in your WordPress folders in order to work its evil. However, unlike other hacks that I’ve encountered, the pharma hack disguises a majority of its code and saves it in the WordPress database, thereby making it more difficult to find and eliminate.

The third remarkable aspect of the pharma hack was that it didn’t affect every page of my site. Further, it only targeted the pages of my site that receive the most search traffic. For example, in Figure 1 above, the three hacked titles correspond with the following posts:

Interestingly, these three pages contain the most potent and high-ranking keywords on my site. Also, back when I ran AdSense, two of those three pages were the highest earners on the entire site (as far as PPC is concerned, anyway1).

With these key points in mind, let’s answer the original question here: What does this hack do?

The WordPress pharma hack quietly exploits your highest-ranking and most valuable pages by overriding the title tag and by inserting spammy links into the page content. Interestingly, the modified title tag and spammy links are only visible to search engines.

How Does the WordPress Pharma Hack Work?

We know what the pharma hack does, but in order to eliminate it and to prevent attacks like this in the future, we need to know how it does what it does.

Basically, the hack consists of two parts—malicious files in the WordPress plugins folder coupled with encrypted code in the WordPress database. The files in the plugins folder contain code that runs the encrypted code stored in the database. Because of this, the pharma hack is dependent upon these rogue files in the plugins folder.

Typically, hack files contain easily-identifiable PHP functions like eval() and base64_decode(), and although the pharma hack is no exception, there’s one major difference. With the pharma hack, these functions are stored in the WordPress database as strings, and they’re encoded backwards! At runtime, a hack file in the plugins folder pulls these strings from the database, flips ‘em, and then runs ‘em as functions, and that’s how the deed gets done.

Oh, and remember how I said this hack only targeted my most potent and high-ranking pages? Cleverly, the hack pings Google Blog Search with queries like this one to see how many links a particular page has, and then it stores the results in the database. At runtime, the hack uses the number of links to determine which pages to target…

Sneaky bastards :D

How to Remove the WordPress Pharma Hack

Even if you don’t see any symptoms of the pharma hack (like cloaked title tags in search results), your site may still be hacked and therefore completely vulnerable. To know for sure, you’ll have to dig through the two places where the hack is known to romp—your WordPress plugins folder and your WordPress database.

Oh, and before we go any further, let’s get one thing straight—you are running the latest version of WordPress, aren’t you? Good, I knew you were the sensible type :D

Step 1: Remove Hack Files from Your Plugins Directory

Let’s start by examining the WordPress plugins folder for hack files. Using an FTP client, navigate to the /wp-content/plugins directory, and then locate your Akismet folder. I’ve recommended this particular folder as a starting point because I found malicious files stored here on three different sites; however, based on what I’ve learned about the pharma hack, these malicious files could be in the directory of any active plugin. Therefore, in order to do a thorough diagnosis, you should check any plugin that was active at the time your site was hacked.

Using your FTP client, make sure your viewing options are set to show hidden files, and then check to see if any of the following malicious files are located in your Akismet plugin folder:

  1. .akismet.cache.php
  2. .akismet.bak.php
  3. .akismet.old.php
  4. class-akismet.php
  5. db-akismet.php

Ultimately, the important thing to note here is not the filenames themselves, but rather the patterns these names follow.

Items 1–3 are hidden files, and they all exhibit a characteristic naming structure with .cache, .bak, .old, or a similar pseudo-extension in the middle of the filename. Generally, you’ll find two out of three of these files together—one will look like this, and the other will look like this.

Items 4 and 5 share a naming convention, too—they are simply the plugin name (or a truncated version of the full plugin name) prefixed by either class- or db-. If you find a file that matches this convention, its contents should look like this.

Now, when you check other folders, you’ll know what naming patterns to look for when attempting to spot hack files, you sleuth you!

Here’s what one of my infected Akismet folders looked like; note that an uninfected Akismet folder only contains three files (akismet.gif, akismet.php, and readme.txt) and no hidden files:

hacked WordPress Akismet folder containing hidden files

Figure 2. Two hidden files inside the Akismet plugin folder that were planted by the WordPress pharma hack.

If you find infected files, delete them! Doing this will effectively end the pharma hack symptoms and restore your search results, but it’s important to note that your site will still be vulnerable at this point. In order to completely remove all traces of the hack and restore the integrity of your site, you’ll need to dig into your WordPress database to remove some lingering offensive code.

Step 2: Remove Malicious Code from Your WordPress Database

Because this step involves database interaction, it’s crucial that you pay close attention to the instructions outlined here. Also, it’s always a good idea to make a database backup before manually editing anything, so don’t say I didn’t warn ya!

To begin, you’ll need to access phpMyAdmin, which is a program on your server that allows you to view the databases associated with your hosting account. If you’ve never heard of phpMyAdmin and don’t know how to access it, don’t worry—simply contact your Web host, and they’ll be able to help you out here2.

Select the wp_options table inside phpMyAdmin

Figure 3. Select the wp_options table in your WordPress database.

Once you’re inside phpMyAdmin, select your active WordPress database from the left side of the page. If you’ve selected the correct database, you’ll notice a new set of links on the left—a collection of tables that look like those shown in Figure 3. From here, click on the wp_options table, and this will allow you to browse the table contents.

Your goal here is simple—you need to delete database entries that contain malicious code. Fortunately, finding the entries you need to delete is a simple job if you use the phpMyAdmin search function, which you can access by clicking the Search tab at the top of the page, as shown in Figure 4:

phpMyAdmin Search tab

Figure 4. Click on the Search tab to search the wp_options table inside phpMyAdmin.

On the search screen, you’re going to need to search the option_name field (see Figure 5 below) for the following rogue database entries:

  • wp_check_hash
  • class_generic_support
  • widget_generic_support
  • ftp_credentials
  • fwp
  • rss_%Attention! In this case, you should delete all matches except rss_language, rss_use_excerpt, and rss_excerpt_length (these are legit WordPress database entries).
Search the option_name field

Figure 5. Search the option_name field for malicious database entries from the list above. If you find any of these entries, delete them!

What Next? (And Some Helpful Prevention Tips!)

Now that you’ve successfully removed the WordPress pharma hack, you’re probably wondering what you can do to prevent stuff like this from happening in the future. On that note, I’ve got some good news, and I’ve got some bad news. First up, the bad news…

At this time, there is still one huge unanswered question about the WordPress pharma hack: How in the hell did the hackers manage to get into your server in the first place? I’ve received reports of the pharma hack on a variety of different Web hosts and server configurations, so it’s clear that the main vulnerability extends beyond a single host/server platform. So far, the only common denominator between the sites I’ve examined is that they’re all running WordPress, but even this fact doesn’t mean that WordPress itself is the problem.

Alright, with the bad news out of the way, it’s time for the good news: You can prevent hacks like this in the future. Rather than rehash the information here, I’m going to point you to a fantastic resource on WordPress security tips. From the perspective of someone whose site just got dropped from Google’s index because of the pharma hack (that’s me), you would be wise to follow these simple security suggestions :D

1 For the record, I think AdSense and PPC advertising are terrible ways to make money online for two reasons. First, they sodomize the visual flow of your site by taking up valuable real estate, and second, they simply aren’t as genuine and helpful to mankind as other methods of monetization. For more, read up on the two methods I recommend for making money online.

2 If you’re unhappy with your current host or not getting the answers you need, check out what I have to say on the topic of Web hosting—my guys will help you out for sure.

Take the Next Step!

  1. Share this on Twitter:
  2. Share this on Facebook:
  3. Submit it to StumbleUpon
  4. Bookmark it on Delicious

344 comments… read them below or add one

Michelle April 15, 2010

Thanks for this post, it will really help a lot of us out! I haven’t been hacked yet but I will definitely follow through on your steps for security and making sure no rogue files/entries are lurking within my files and database.

Reply

Jason August 26, 2011

I had a small site totally get hacked. Freakin idiots! Thanks for your tutorial/suggestions. You rock!

Reply

Lew A April 15, 2010

I noticed that the hacked files in your screenshot had older timestamps on them. Did you by chance notice if the pharma hack was using the linux ‘touch’ command to change the mtime?

Lew

Reply

Chris Pearson April 15, 2010

Excellent question. I did not notice the ‘touch’ command, probably because this is the first I’ve heard of it :D

It’s possible that the touch command exists in the encrypted hack files that I linked in Step 1 or in the encrypted code in the WordPress database; to know for sure, one would have to decode all that garbage and then inspect it.

Also, I didn’t mention it in the post, but this site was moved to a new server on March 14. Right around that time is when I first noticed the strange timestamps, and since I never came to any explanation as to why the timestamps were all reverted back to 9/5/07, it’s quite possible that the hack did indeed play a role here.

I’ll be interested to see if other people whose sites were infected noticed similar results while working with these files via FTP.

Reply

andymurd April 15, 2010

If the hacker was using touch to set a timestamp in the past, you’ve got big problems because that requires elevated privileges (typically root access or file ownership) so I’d check the ownership of those files too.

More likely is that the hacker uploaded a zip or tar file and unpacked it on your server preserving the timestamps from when the zip was created. I wonder if Wordpress’s plugin update mechanism got compromised?

Great investigation and write up, Chris. Let’s hope you can keep the scumbags out.

Reply

Nick Nelson April 15, 2010

Great post Chris. It ALMOST makes all the hell we went through (mostly you) worth while… ;)

Reply

Matt April 15, 2010

I’m so glad you got this figured out! Thanks for all the hard work, I know we all appreciate it.

Also, great question by Lew.

Reply

Jennifer Wilson September 7, 2011

I have to add to Matt’s compliment in thanking you for this post. I’m really glad I came across this! I don’t understand hackers. Never have and never will. Lew, your question/comment was money and I thank you for that as well.

Reply

Brendan Wenzel April 15, 2010

So, I’m guessing that if I’m not using Askimet I’ll be ok? That’s a wicked hack dude. Some people need to use their brilliance for good causes instead of this nonsense. Good job in finding a solution though. That’s masterful coding work dude.

Reply

Chris Pearson April 15, 2010

Brendan, unfortunately, you cannot make that assumption here. In fact, on this site, one of the hack files was located in the /search-and-replace plugin directory (from the Search and Replace plugin), and it took me a long time to get rid of the hack because I simply wasn’t looking in this location.

Also, the pharma hack contains a ton of dynamic code that allows it to “chameleon” its way into any available WordPress plugin folder. For instance, the hack file that I found in the /search-and-replace folder was called class-replace.php. By contrast, the hack file that I found in an Akismet folder on another server was called class-akismet.php, but it was the exact same file.

Ultimately, I think Akismet is a convenient entry point for this hack because:

  • tons of WordPress users also use Akismet, so it’s fair to assume that this plugin is probably active
  • if the hack parses active plugin folders alphabetically, then it makes sense that plugins beginning with ‘a’ would receive these hack files

Reply

Brendan Wenzel April 15, 2010

ok, thanks dude for the quick answer.

Reply

Matt April 15, 2010

@brendan
I don’t think that there is evidence to say definitively that akismet is the problem. Chris even says “these malicious files could be in the directory of any active plugin.”

Still scary, though! ;)

Reply

Tom April 15, 2010

I checked and I don’t have that issue, but the cleanup and security tips are things that we should all take more seriously. A few sites I run were recently defaced and this post made me take a look even closer. Glad I have you on RSS. Looks like a fun weekend for security!

Reply

Russell Jamieson April 15, 2010

The pharma hack is seriously clever in the way it focuses on the highest rated pages in google and that it only offers up the hack to the search engines.

Fortunately, I was not affected by the hack perhaps due to solid hosting on a VPS on Liquidweb, and the lack of PPC on my site. I follow your recommendation of making and selling my own products as well as making affiliate sales of products I use and can recommend.

Many thanks Chris for the extensive forensic work on this and the excellent documented recovery process. Your vigilance is appreciated. No doubt the next attack will be even cleverer and Wordpress 3.0 may open a few new holes so it it is good to know you eye is on the ball.

Reply

Ben Cook April 15, 2010

Chris, I don’t think it just attacks your ranking pages. For example, I doubt this page is kicking butt in the rankings but it’s still been hit.

Of course, that site’s also running 2.7 so who knows what kinds of hacks it’s been exposed to.

Reply

Paul Cunningham April 15, 2010

Great analysis of the hack though it always bothers me when the exact “how” of the hack remains unknown. Seems you’ve been very thorough so hopefully you caught it all.

Reply

Wynne April 15, 2010

I guess if you check your rankings and main keywords on a reasonable frequency you might also notice this?

Reply

Chris Pearson April 15, 2010

Absolutely. As a website owner, it just makes sense to know the pulse of your site in as many places as possible—sales, traffic, search, CTR, etc.

Reply

Jay Thompson April 15, 2010

Fabulous post Chris!

I haven’t been hit by the pharma hack, but in the last week people have reported malware warnings (sometimes) when visiting my WP blog. I found a piece of base64_decode() PHP that was in my footer.php file. Hopefully that was the culprit.

When I search my DB using the terms you have above, rss_excerpt_length also comes up in the rss_% search. Is it safe to assume that is legit also?

Reply

Chris Pearson April 15, 2010

Yeah, that one’s safe if the value field is short and sweet.

Reply

Rich Williams August 15, 2012

Hi Jay and Chris and All,
That is some great information Chris. Good work and thank you for that.

This is just a comment to Jay’s post in that I have a couple of customers that had their Wordpress sites hit with a Malware attack as well, but the code was located in the header.php file. And not just the active header file but in every header file that was located in the themes directory. “/public_html/wordpress/wp-content/themes/”

So, Jay, and anyone else that has been hit with a malware attack on your Wordpress sites, check your header.php files for the code. You can’t miss it because it sticks out like a sore thumb.

Also, one important note is to change the file permissions to make the header files not writeable by anyone and this will stop the hacker from injecting his code again. I am saying this from my experience with this hack because after I removed the code from all the header.php files the first time, which I thought would be the last time, the header.php files had the malware code injected again. I was able to stop it by changing the file permissions to 444, which removed the write permission from the “Owner”.

Ultimately, we found that one of the girls that did some of the content updating on the sites had an infected computer, so everytime she logged into the Wordpress site to make updates, the header.php files were also updated by the infection that was on her computer.

Anyway, sorry about the long winded post but I felt I had to contribute my experiences with hackers and malware attacks since it was a little different from what I had read up to this point.

So, thank you for letting me post this info and I hope it helps someone else that has been hacked by these evil bastards.

Good luck All.

Rich Williams

Reply

Tony Spencer April 15, 2010

I was hit by this one a couple months ago and I wrote numerous notes as I went through the painful process of removing this one. At least from my experience, there are far more steps involved to fully remove it. I hate to say it but I’d bet you’ve still got the bug lurking in other files and it’ll rear its head again. The infected code gets planted in many more files than those you mentioned and leaves multiple backdoors. The hacker simply returns a week later and enters one of his backdoors you didn’t find and replaces the database code.

I’ll gather my notes and send them to you privately.

Reply

Zander Chance April 30, 2010

Tony Spencer – Can you send me your notes as well? Our whole blog network (40+ sites) got compromised by this hack, and we’re STILL having issues.

The latest issue was some base64 encode code in our wp-includes/general-template.php file. What doesn’t make sense is that we upgraded Wordpress after the initial incident, which means everything in the wp-includes directory should have been replaced with fresh files.

It’s scary how complex and thorough this hack has been!

Reply

Debbie Ridpath Ohi June 3, 2010

I’ve also been hit and have been trying very hard to clean up the mess. My husband reinstalled Wordpress and reloaded the database, but some images got broken which I’ve been gradually fixing.

A few days later, though, I discovered that the search I have on the site redirects users to a pharmacy site, so obviously there’s still bad code around. :-(

I followed the instructions above, but wasn’t able to find any of the “rogue databse entries” mentioned in my SQL databsae.

I’m pretty desperate at this point and would be grateful for any pointers.

Fingers crossed,
Debbie

Reply

Debbie Ridpath Ohi June 3, 2010

Solved it. The hacker had placed two innocent-looking files in wp-content. One was tweetmeme.tmp and one was akismet.tmp. Both files were 0 size.

I only knew to look for them after reading your tips, Chris (re: innocent-looking files). THANK YOU.

Reply

Derick Schaefer June 3, 2010

So, to be clear, being 0K, they didn’t have anything in them and were truly empty? I’d really like to understand more about the 0K as we can add that kind of search to MalWatch which would be helpful. . .

Reply

Debbie June 4, 2010

My “fix” only worked for one day, so obviously there’s still malicious code hanging around. I can’t find it and I’m tired of spending so much time doing Wordpress admin/fixes for all my blogs.

I’ve decided to convert all blogs out of Wordpress to a paid hosting service. I’ve been using Wordpress for years, but I’m just one person without any staff and also without technical expertise…think I’ll be better off paying someone to take care of the back-end stuff so I can focus on the content.

Luke McOmie November 28, 2012

I’m researching the pharma hack and have found a new variant. I would love to see your notes that you mention on pearsonified.com if you would like to share them.

Thank you,
Luke

Reply

Liji Jinaraj April 15, 2010

Do you use the www-data user and group on your server?

Reply

Chris Pearson April 15, 2010

As far as I know, no.

Reply

Brad Potter April 15, 2010

Wouldn’t it be best to:
1. Backup your database.
2. Search and remove the offending entries.
3. Install a fresh copy of WordPress and your theme
4. Follow the security tips

Seems like that is the only way to have peace of mind.

Reply

Chris Pearson April 16, 2010

Brad, the theme doesn’t really matter here. This particular hack targets the plugins folder, so if you truly want to be secure, you should nuke all your plugins and start over fresh from there.

Reply

Brad Potter April 16, 2010

I guess my point is if the hack found a way into your site, who knows where he has been and hidden code. It’s much like trying to diagnose operating system problems. Sometimes it’s better to do a fresh install of everything as it can actually save time and ensure nothing else has been compromised.

Reply

Roland June 11, 2010

Thats a very good idea. All the necessary things what we have in the plugin folder in future comes with the thesis theme. Great idea.

Reply

Reface your Facebook April 15, 2010

I don’t believe ftp_credentials is a rogue db entry.

Reply

Chris Pearson April 16, 2010

I only found this entry on sites that had been running WordPress for a long time (with versions prior to 2.8), and since it doesn’t exist on new installations, it’s safest to just delete this entry.

In my case, sensitive information was available in this db entry, so I chose to nuke it.

Reply

Andy Symonds April 16, 2010

Great write up Chris and luckily (yes I believe it is simply that with so many high profile sites have got ownd) we have not had any of ours or clients WordPress sites compromised so far. Hopefully this will remain true with the well known security measures we have in place but like others I would really like an update as to how this has occurred if you find out anything more.

Reply

Chris Pearson April 16, 2010

As soon as I find out the root cause of the pharma hack, I’ll definitely post it here.

Reply

Zander April 16, 2010

Great post man.. I went through this nightmare yesterday, but mine was slightly different. I don’t think our hacker had DB access, so he was limited to hiding code in our theme files and such. It was really slick how he was able to make the code look innocent enough that I wouldn’t give it a second look. Took me the entire day to fix everything!

Reply

Chris Pearson April 16, 2010

Totally. That’s actually an “old-school” hack at this point—I’ve suffered no fewer than ten such bouts of theme file hacking. Although I don’t know for sure, I believe these hackers are able to embed links in your theme files because they access the file editor from within your WordPress admin panel (which is why they don’t need FTP access to do this deed).

Reply

Zander April 16, 2010

That’s what I thought at first, but the code in the theme files called other files that they dropped on my server.. Basically, they used a require(…) statement to call an external file that contained the base64 code.

A slick way to get past the Exploit Scanner plugin, and avoid immediate detection when we edited the theme files.

Reply

Nikolaos Dimopoulos April 16, 2010

I am always amazed by the ingenuity of hackers and that of the ones the prevent hacks.

Thank you for the informative post. I will definitely keep an eye on this attack for my blog as well as those of my customers.

Reply

Wendy Maynard April 16, 2010

What a nightmare! Thanks for posting this detailed description of what happens and how to fix it. Yikes – I hope I don’t have to deal with it. But it’s so good to know there is a resource if I need it.

Best, Wendy

Reply

Chris Pearson April 16, 2010

Wendy, I don’t know if you checked your database for any of the rogue entries outlined in Step 2, but doing so is certainly in your best interest. Don’t wait for the symptoms of the hack to show up; instead, check out your database to make sure the hackers don’t have a convenient way of exploiting your site.

Reply

Streko April 16, 2010

good post, can we now go frag noobs?

Reply

Chris Pearson April 16, 2010

Yes, n00b-fragging is imminent. Finally.

Reply

Streko April 16, 2010

About time.

Buy the stimulus package.

Reply

Chris Pearson April 16, 2010

Oh shiz, I haven’t even checked that out yet!

Reply

Streko April 16, 2010

noob.

Reply

Derick Schaefer April 16, 2010

Chris, thank you so much for the details on this. Based on the pattern approach, we are going to add pattern extension searches (blog owner’s choice) and hidden file lists to the next rev of WP-MalWatch . We were going to add a list of “decode” call references but based on the trick this hack used, we would be chasing the wrong thing. Any thoughts on systematically looking for patterns that the hook used to drop the decode call?

Reply

Chris Pearson April 16, 2010

Derick, Brian showed me your plugin last night, and after checking it out, I really think adding pattern extension searches and some db scrubbing (for known malicious entries and/or pattern matching) would be fantastic.

To answer your question about decoding specifically, the pharma hack placed edoced_46esab inside a database entry. In my case, this call was inside one of the rss_% fields, but I can’t say with certainty that all calls of this nature would occur inside rss_% fields (which only exist if people ran WP 2.7 or older at one time on a particular site).

Reply

Derick Schaefer June 1, 2010

Chris,

My bad for missing the reply. yeah, we just released the 2.0 version to WordPress.org this morning and it has file extension pattern searches. Database searches are the next level which we will get to.

I hate to say this but I love when smart people get pissed off (e.g. YOU) as it produces great insight on problems that need to be solved.

You can see features and download here. Nick Ohrn is the dev brains behind this.

Reply

Finn Kisch April 16, 2010

Thanks for a specific and thorough post, Chris. I spent fifteen or twenty hours and two failed fixes rooting out a pharma hack from our EndGame site. Although the symptoms of the hack were the same for our site, the causes were totally different. I’ve gone through your suggestions just to double-check.

In brief, the hacker installed a phpshell in our theme directory with the unassuming title “403.php”. The phpshell then granted access to pretty much everything else. A simple “require ABSPATH” line in wp-includes/general-template.php and a few files in the cgi-bin later, we were in the pharma business. I’m happy to email more details upon your request.

Still don’t know how the initial hack happened – we have multiple admins so I suspect a bad password. Seems like that’s the big mystery to everyone though.

We’re running a couple of plugins that finally helped me identify the issue: Theme Authenticity Checker (found the phpshell), Audit Trail (ID’d the time and IP address of the hack), and WordPress File Monitor (alerted me to change in general-template).

Hope that helps.

Reply

Brandon March 8, 2012

I had a similar attack with the 403.php file. Only there was also a “links.db” inside our wp-includes/images folder. The pharma links were pulled from there and there wasn’t anything inside our actual mysql database. Have no idea how it got there. I was a couple of wordpress releases behind, so maybe that was the problem.

Reply

sam April 16, 2010

You guys just set up your own ip access to your wp-admin and hosting only so that you are the only person who can access them.

Reply

frank April 17, 2010

usually the IP changes for DSL/dial in, so this does not work.

Reply

Yael K. Miller April 16, 2010

What FTP client do you use? I use Filezilla — I don’t think there is a way to display hidden files.

Reply

Lew A April 16, 2010

Yael, In FileZilla go to: Server -> Force showing hidden files

Lew

Reply

Augustine Fou April 17, 2010

it might be useful to check if people have and use WP-Supercache — when deployed, there is a warning screen that a single folder is writeable publicly and this could be the loophole that hackers are using to deploy files to a wordpress installation … just a hypothesis… thanks for the informative and thorough blog post.

Reply

Simon June 9, 2010

I have been wondering this same thing, Augustine…

Reply

Martin Bay April 17, 2010

Really nice post on how to identify and remove the wordPress Pharma Hack. I have just been looking though the plugin folders and everything seem ok. Hope you are safe now.

Martin

Reply

Dave April 17, 2010

Chris,
No where else to ask this…

I see you are using Gotham as your title font…

I am using your excellent Thesis Theme and I note it is not available there. How do ya do it?

Best,
Dave

Reply

Chris Pearson April 19, 2010

Dave, the only place you’ll find Gotham on this site anymore is in the sidebar headers. These headers are served as graphics and not as actual text, so you’re actually seeing something that I produced in Photoshop rather than something generated by your browser.

Gotham is a commercial font that is only available from my favorite type foundry, Hoefler & Frere-Jones.

Reply

Randy Duermyer April 18, 2010

Great, thorough and very useful post. After I’ve checked my clients’ sites (and my own) I’ll save this in case something crops up in the future.

@randy_duermyer

Reply

allen miller April 19, 2010

Hi Chris. Sorry to bother you here but there is no email support on DIYThemes. My agency would like to purchase dev option Thesis however our corporate card is linked to another inaccessible paypal account. Do you have any other credit card payment options that don’t require signing up for paypal? Thanks much,

Allen

Reply

Chris Pearson April 19, 2010

Allen, you don’t have to be a PayPal account holder to purchase Thesis with a credit card. On the first checkout screen, there is a link on the left that allows you to purchase with a credit card, and from this point on, the transaction will seem like any other online where you pay with a credit card.

Reply

Joshua Dorkin April 19, 2010

Thanks for this post, Chris. I was attacked by some kind of pharma hack on one of my wordpress blogs, and have yet to find the culprit. The hunt continues!

Reply

Joe April 19, 2010

Chris…I need help. Someone has created a fraudulent blog, web hosted by you, claiming to be me. How can I get this removed? It is false and defaming. (Sorry to contact you here, but I could not find any other way to get to you.) Please contact me at my email address. Please, this is very hurtful to me and my family. lightspace101@yahoo.com

Reply

Chris Pearson April 19, 2010

Joe, whatever site you’re on says nothing about being hosted by me. It says the design is by me, and that’s because this offending person is using a free theme I created on WordPress.com. If you’ll instead direct your energy to the support team over there, you should be able to find some answers.

Reply

Alex Rodriguez April 19, 2010

Thanks Chris- Thank you for documenting this and sharing it with the world.

Reply

TheArchitect April 19, 2010

OMG, that’s a complicated tips for me. Any body can explain a simpler way?

Reply

Jared Earle April 19, 2010

If this is too complicated, hire someone. That’s the simpler way you’re looking for.

Sometimes stuff is hard.

Reply

Allen Miller April 19, 2010

Thanks for the reply Chris. I’ve made some screenshots to prove that users are really forced to sign up for a paypal account to use a credit card in your DIY checkout.

Here is the link: http://afftraffic.com/checkout-diy/

Please advise. Thx

Reply

Chris Pearson April 20, 2010

Allen, you are being thrown off by the verbiage on that page. Although it says “Create an account or login,” you won’t actually be creating a full-scale PayPal account. Full accounts require bank information (routing number, account number, and verification), but the screen you’ve encountered does not put you through any of that. Simply go through with the transaction, and you’ll see what I mean.

Reply

Matt April 20, 2010

Geez…another thing we have to look for. Hopefully the next update will look this down. Thanks man.

Reply

Robert April 21, 2010

I was hacked too. I find this file ‘abspath.php’ in the /wp-content/plugins/cforms/

Removed the file.

Reply

Jason Remillard April 21, 2010

Folks… Although ‘shaking your tallywacker’ at this stuff sounds like fun, why not just give yourself time for other ‘funner’ activities, and protect yourself in the first place?!?

We developed the WP-Secure-by-Sitesecuritymon WordPress security plugin for our customers – and released it free to the community.

This plugin will protect you from this ‘sneaky’ – but really weak ‘hack’ – and will also give you a malware and vulnerability scan – for free.

Check it out directly here or at our site.

Cheers and Enjoy yourself – safely :)

Reply

Brian April 22, 2010

I discovered the problem on a blog to – and I found it in various plugin folders – even in plugins subfolders, like a /js folder that should only have contained .js files.

Sociable was actually one of the too…

But I can’t seem to be able to clean out everything in the database. I deleted everything inside the /plugin folder, and started cleaning the database.
I get a lot of rows like these:
rss_3e0f35d9b97106aaefb4341e67c31adf

I clean them out, but they keep regenerate it self and keep coming back.. Are they generated from something else than the malicious file in /plugin folder ?
Anyone had the same problem ?

Reply

Chris Pearson April 22, 2010

Brian, any plugin that pulls an RSS feed could potentially be creating the database entries you’ve described.

When WordPress opted to go with a new type of RSS parser in version 2.8, they did away with MagpieRSS-style database entries that follow the pattern rss_%. However, I’m certain that not all plugin developers updated their RSS parsers, and that’s why some plugins still place this kind of entry in the WordPress database.

Personally, I would remove any plugins that output data in this manner, simply because they’re outdated. Also, now that you know database entries associated with these plugins are being exploited, what reason do you really have to keep them?

Reply

Brian April 22, 2010

I removed all the plugins – so it can’t be a plugin thats causing the rows to appear…
Or at least I don’t think its a plugin – could it be a “leftover” from a plugin ?
There did’nt seem to be any RSS parser in the plugins – just some translation plugins and SEO stuff.

Reply

Chris Pearson April 22, 2010

It was almost certainly left over from a plugin.

Reply

Brian April 22, 2010

Sorry to keep replying :-), but why do the rss_xxx rows keep coming, if I have deactivated and deleted them from the plugin folder.. ?

Chris Pearson April 22, 2010

If you’re running a version of WordPress prior to 2.8, then that’s the reason why. Make sure your installation is completely up to date.

Brian April 22, 2010

It is running the latest version – 2.9.2….
It keeps adding the cloaked title tags even with the plugin folder deleted..

Would a re-install of WP do any good ?

Brian April 23, 2010

I finally got it cleaned – that was rather a nasty round.
I found malicious code in the /wp-content/index.php file.
I found malicious code in some of the core-files – even in the wp-config.php file, but that was a reference to another malicious file.

I did a re-install of all the files – deleted wp core files and re-uploadet them. Then cleaned the database – all the malicous rows was for me the RSS_xxx rows.

Hope this helps a bit for other people too…

and Chris, thank you very much for the support and this great article..

Chris Pearson April 22, 2010

You’ve clearly got malicious files somewhere on your server. Check your root folder for these rogue files, and also be sure to check the content of your theme files (especially header.php and footer.php) for malicious code.

Reply

bryan keller April 23, 2010

Have you heard of this hack being exploited on any other CMS systems like Joomla?

Reply

Chris Pearson April 23, 2010

Bryan, I haven’t read any reports of other CMS platforms being affected. The pharma hack is extremely “WordPress-intelligent”—essentially, it looks like it was built to exploit WordPress installations and WordPress databases. Ultimately, WordPress is a good target for a hack like this because so many strong, high-ranking sites run it.

Reply

Ryan April 23, 2010

Excellent info, Chris. Thanks.

It really is amazing how many miscreants there are out there trying to hack sites. I never realized how bad it was until I switched from a shared hosting plan to a VPS.

I’ve resorted to blocking entire countries since some of them account for an alarming number of attacks. If you have a site or blog you care about, it’s well-worth paying attention to stuff like this.

Reply

Dimas May 4, 2010

Ryan, I also think that is one of the ways that a site would get hacked, many people simply set their directory permissions to 777 and forget about it.

Chris, did this happen to you while on a shared plan?

Reply

Chris Pearson May 4, 2010

Christ, no. This happened while I was on an $800/mo. dedicated box, and then the hacked files mistakenly got transferred over to my new box at VPS.net as well.

Reply

Eddie Gear April 27, 2010

Hi there Chris,

This is the first time I’ve come across such news of blogs being hacked. I will try the precautionary measures that you mentioned to make sure that everything is fine.

Thanks,
Eddie

Reply

Jacques April 30, 2010

Thanks for detailed article and solution (even making time to write (knowing how ‘challenged’ you are :-)).

Makes you wonder how secure plugins are… If you install them via the Codex, are they guaranteed safe? Do they scan/check those files?
I guess you’re on your own when downloading from the author’s site (either because of his mal-intent or his files might be compromised, unknowingly, as his host’s server-security is not be up to date, so they replace the download with tampered files).

It also calls for better security within WP or as a a plugin – either from Automattic or 3rd party. In that light, I feel the Security Scan would be a good starting point: it tells you which holes you need to plumb (even better would be the plug-in plumbing them for you).

My impression is, there are no structural security solutions yet – there are plug-ins, instructions to add/change stuff manually etc., but it is all scattered – not a one-fix-for-all.

I’m no programmer, but it would be great if some code-wizards would look into this…

Reply

Jacques April 30, 2010

Uh well… they must be reading your blog – and extremely fast coders, as Matt’s gang is working on this: http://vaultpress.com/signup/ – not free, though – but if you don’t make $30 a month on a few blogs combined, it might be time to look at ‘monetization’… Or just charge your clients $5/pm extra for peace of mind.

Reply

Diane May 4, 2010

yak! Horrid! And security scanning would be great – but surely google notices?

Reply

Maggie Brown May 6, 2010

Your explanation was thorough but as a newby website owner and blogger, it was over my head. I’ll have my son’s friend who built my site help me with this – THANKS!!

Reply

M. Brown May 7, 2010

I was hit by this on my blog and couldn’t figure out a fix. Thanks – I’ll work on this over the weekend and hopefully I can send the Pharma Hack to the dark place it deserves…

Reply

Nancy Hutchins May 10, 2010

Well…super heads up on that one. Glad you caught it and fixed it and I’ve made a note about it…just in case I get popular enough that someone tries to take ME down :-)

Reply

Aaron Williamson May 10, 2010

Hey Chris, thanks for the helpful post — you led me in the right direction and I eventually cleaned out all of the offending files. But I wanted to offer a helpful tip that you didn’t mention. If you’re like me and have a bazillion Wordpress installations on a single domain (don’t ask, I didn’t do it), looking through them all for plugins with wonky file extensions is more than a little daunting. Instead, you can look in the active_plugins option in the wp_options table — that will tell you which plugins are being run, and if you’ve got the pharma hack, you can easily pick out the .bak.php, etc. files there and go right to them.

Reply

haber michael May 15, 2010

thanx
This is the first time I’ve come across such news of blogs being hacked. I will try the precautionary measures that you mentioned to make sure that everything is fine

Reply

James Covington May 16, 2010

Great security tip! I’ll definitely take preventive action to avoid this on my site!

Reply

Andy Stratton May 17, 2010

Chris – great post – this helped a lot while troubleshooting some sites in the wake of similar attacks of late. Thanks!

Reply

Greg Mariotti May 19, 2010

Can someone please help? I have been hacked by this same thing, but I can’t find anything located in my Askimet files. Everything looks good there…Please any help is much appreciated.

Greg

Reply

Greg Mariotti May 19, 2010

sorry, my website is http://www.pixartalk.com so please take a look and let me know your thoughts.

Reply

Aaron Williamson May 19, 2010

Greg: read the post more carefully. The malicious code can be in ANY plugin. As I said, check the the active_plugins option in the wp_options table for clues — in my case, the hack appended the malicious code to this field’s value.

Reply

Greg Mariotti May 19, 2010

Aaron..I suck at this..I’ve looked through all the plugins and don’t see anything weird with middle extensions such as old, bak or cache…

I’m using the file manager (with hidden files option selected) with my host provide (bluehost.com). Is that sufficient to find these or do I need a proper ftp? If so, what do you recommend?
What if I just deleted all my plugins? would that remove it as well?
would love any additional help you can provide.

Reply

Derick Schaefer May 20, 2010

Greg,

We have a new beta of our plugin WP-MalWatch that we are testing right now that does file scans for patterns and will turn up anything in your install. Contact me directly and I’ll get you a drop of it. The current version in the WordPress.Org site does not do the file extension pattern scans. derick [[at]] orangecaster DOT com.

Derick

Reply

ethan May 22, 2010

Hey Chris, thanks so much for putting together this detailed post. I’ve been struggling to find the root cause of this hack on my site for a couple of weeks. Looks like I may have finally killed it. Thanks again.

Reply

jordan retro May 24, 2010

Great post Chris. It ALMOST makes all the hell we went through (mostly you) worth while…

Reply

Shawn May 25, 2010

Well from what I have researched it seems like they only infiltrated certain hosting companies.

Reply

Joe May 26, 2010

I noticed some hackers put a small link on header of blog as well. This is horrible to fix sometime. I had such problem when i updated main wordpress software and not plugins.

Reply

evan May 27, 2010

I just noticed this hack also effects bing search results.

Reply

evan May 28, 2010

So I did the db cleanup, fixed permissions, reinstalled all wp files, changed every password, ran security plugins, installed versions of all plugins, added extra .htaccess files based on ip, yet the malicious db entries keep returning every few hours. Any idea why?

Everything else is locked down.

Reply

Chris Pearson May 28, 2010

Evan, I can’t say with certainty why your db entries are returning, but one of two things is the case here:

  1. You haven’t located all the malicious files on your server
  2. You’ve been infected by a stronger, more resistant strain of the pharma hack virus (I think this is unlikely)

I went through a similar experience, and it turned out that I just had to scour my files a little more closely to locate all the offending garbage :D

Reply

evan May 28, 2010

Were the problematic files wp files or outside?

Reply

Chris Pearson May 28, 2010

I’ve found malicious files in the WordPress plugins folder and also in the root directory, which could technically be considered outside WP files.

Reply

evan May 28, 2010

Yeah, I saw a few bad files in the plugins folders and removed them. Most were hidden file, and came in pairs. However, I noticed other files being created that match the naming structure, but look like legit wp files (like the “safe” sample file you have above). These files start with db- or ext-, yet when the plugins panel within wp is loaded up, wordpress will throw an error. Usually saying these files have been deactivated due to bad headers. I can’t seem to find much documentation on these files on the web.

They all seem to be widget-related files of some sort.

The search continues…

Reply

eyebeat May 28, 2010

I’ve been battling this hack for a week with no luck. It comes back. Today, I found this in the schema db:

FROM `information_schema`.`PROCESSLIST`
WHERE (
`ID` LIKE ‘%(edoced_46esab(lave%’
OR `USER` LIKE ‘%(edoced_46esab(lave%’
OR `HOST` LIKE ‘%(edoced_46esab(lave%’
OR `DB` LIKE ‘%(edoced_46esab(lave%’
OR `COMMAND` LIKE ‘%(edoced_46esab(lave%’
OR `TIME` LIKE ‘%(edoced_46esab(lave%’
OR `STATE` LIKE ‘%(edoced_46esab(lave%’
OR `INFO` LIKE ‘%(edoced_46esab(lave%’
)
LIMIT 0 , 30

Is this a backdoor to all of my DBs?

Reply

Chris Pearson May 28, 2010

eyebeat, that certainly looks like a backdoor—the backwards base64_decode strings are clearly a hacker’s footprint, and the code in question does appear to allow them to access whatever part of the site and db they want.

Out of curiosity, which host are you with? I have a schema database, too, but it doesn’t contain a PROCESSLIST table like the one shown in your sample code.

Reply

Roger November 2, 2010

Hi there, I have found a similar hack on other Dreamhost accounts. IMO there must be a weakness in their system, and they’re not fessing up.

Here’s the code I found from a search of the `information_schema`.`PROCESSLIST` database:

SELECT *
FROM `information_schema`.`PROCESSLIST`
WHERE (
`ID` LIKE ‘%tramadol%’
OR `USER` LIKE ‘%tramadol%’
OR `HOST` LIKE ‘%tramadol%’
OR `DB` LIKE ‘%tramadol%’
OR `COMMAND` LIKE ‘%tramadol%’
OR `TIME` LIKE ‘%tramadol%’
OR `STATE` LIKE ‘%tramadol%’
OR `INFO` LIKE ‘%tramadol%’
)
LIMIT 0 , 30

So I’m also waiting for a response from DH. I think they’re out of their depth on stuff like this or like I said, don’t want to admit to a vulnerability.

I’d appreciate any thoughts or tips on how to eliminate the hack.

Reply

sam September 8, 2012

i searched my entire wordpress database for the Clomid hack i was experiencing and found something in the options table which didnt come up in the searches provided in this blog post. after i deleted it, the site was still having the same issue so i searched again, only this time in my information schema db. i am using dreamhost. indeed, this is what i have. which part is safe to delete ?

SELECT *
FROM `information_schema`.`PROCESSLIST`
WHERE (
`ID` LIKE ‘%clomid%’
OR `USER` LIKE ‘%clomid%’
OR `HOST` LIKE ‘%clomid%’
OR `DB` LIKE ‘%clomid%’
OR `COMMAND` LIKE ‘%clomid%’
OR `TIME` LIKE ‘%clomid%’
OR `STATE` LIKE ‘%clomid%’
OR `INFO` LIKE ‘%clomid%’
)
LIMIT 0 , 30

Reply

sam September 8, 2012

eyebeat, i’ve seen your posts elsewhere. could you tell me how you resolved this? i am also on dreamhost with the processlist table hacked the same way as well by clomid

Reply

eyebeat May 28, 2010

I’m on dreamhost and I just found this hidden file in one of the plugin files:

.fckplugin.cache

Is this the rest of the backdoor???

I’m exhausted trying to fix this.

Reply

evan May 28, 2010

There’s a WYSIWYG text editor called FCKeditor.

Did you have that installed at one point?

Reply

evan May 28, 2010

I just did a db search for %(edoced_46esab(lave% as well and found an entry in the options table disguised as an rss/magpie entry.

Reply

eyebeat May 28, 2010

So, can I delete those things in the process list? I contacted Dreamhost Support but I haven’t heard anything from them.

Reply

Chris Pearson May 28, 2010

I would wait on a reply from them to be certain that you won’t mess up anything else by doing this, but I do expect that you’ll be deleting those db entries.

Reply

eyebeat May 28, 2010

I have no idea if I had that installed. This file was in the wpg2 folder. I thought since it began with “.” that it was suspicious.

I’m an idiot and I’ll take all the pity and help I can get.

Reply

eyebeat May 28, 2010

Dreamhost says what I found isn’t real that it was generated by my search request. Could that be right?

Reply

Chris Pearson May 28, 2010

That sounds like hogwash to me. I think you should just delete those entries (but only the ones containing the backwards base64_decode code).

Reply

eyebeat May 28, 2010

Well, another part of the DH response was total hogwash. I didn’t share that. I responed to them by providing a detailed description of how I performed the search and what I saw at each point. We’ll see what they say next.

I did the search for this particular string after seeing a post about it on wordpress.org. In that post, they describe exactly what we have been seeing on our plugin management page. It made sense to search for it.

Following on this, I googled this type of hack and found youtube videos telling people how to do it.

Reply

Dog Owner May 29, 2010

I’m so glad I found this post. I was trying to figure if converting my website to Wordpress was worthy. Now I know that I don’t want to deal with such nightmares like the one you had. I rather have an old looking html site that is more secure. Thanks :)

Reply

Andrew Warner June 1, 2010

Chris, do you know who I could hire to help me with this?

I followed the instructions and it’s still there.

Reply

Chris Pearson June 1, 2010

Andrew, I’d be happy to have a look through your server and databases for free; if I can’t help you out personally, I’ll find someone you can pay to take your server through the wringer. I’ll shoot you an email about this.

Reply

Evan June 1, 2010

Is there any reason “xmlrpc.php” should change after wordpress has been running for a while? If not, I think I just stumbled upon something.

Reply

Chris Pearson June 1, 2010

Evan, I don’t know a whole lot about that protocol, but that definitely seems like strange behavior to me. If you’re able to dig any deeper into that, I’ll be curious to know what you find :D

Reply

Evan June 1, 2010

Yeah, I can’t seem to get rid of this hack at all. Now I’m forced to block IPs from China and elsewhere in hopes that stops it. I did notice this though. When re-uploading wp core files, I noticed that file had a slight difference. On line 27, this got replaced:

$HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA);

with this:

$HTTP_RAW_POST_DATA = mysql_escape_string(trim($HTTP_RAW_POST_DATA));

I’ve also noticed a lot of hits to my admin files from my log files from the same ip. The ip appears to be a googlebot, but when tracing it seems like someone trying to spoof it.

I’d be happy to email you an example if you’d like to take a closer look.

Reply

Chris Pearson June 1, 2010

Evan, I blocked something like 180 different IP addresses while I was trying to remove the hack. Someone was pinging my server and running a trackback script that crippled this site’s performance, and this may have been how the perpetrator was getting in the door, too.

I’d definitely recommend you institute .htaccess-level IP blocking to help you solve this problem.

Reply

Derick Schaefer June 1, 2010

One great solution we found for a highly targeted blog was http://www.securelive.net ‘s WordPress plugin which does real time detection of an extensive list of known attacks and shares the IP address amongst all users of the product.

Here’s the down side. First, if the attack comes from a shared address (e.g. a university) you will loose traffic and filtering degrades performance. If you have less than 100 concurrent users at any given time, this is a great solution. We have one blog that saw a 2200 concurrent user spike this weekend and we have to run an NGINX front end to handle the load. We also disable .htaccess and pull into the apache conf as htaccess is super inefficient under high loads. Thus, there is now way to scale and block known bad ipaddrs.

Performance and security is a fine balance and unfortunately sometimes you just have to run the risk.

Zander June 2, 2010

Chris,

Have you heard about any cases where a new administrator account was added to the system, with the username ‘amin’?

Came across this post, and we noticed the same thing happen for a cluster of sites we have hosted on one specific server. Wasn’t sure if it was Pharma related or not.

Reply

Chris Pearson June 2, 2010

I’ve seen some username weirdness in previous hacks (there was a big one in 2009 that involved rogue admin accounts), but I can’t say whether or not this kind of thing is related to the Pharma hack.

Reply

Zander June 15, 2010

Well, it turns out that this was an issue with our host (The Rackspace Cloud), and that THOUSANDS of sites were affected in this mess.

We’re still waiting to get an official explanation and everything from them, but they have confirmed that the issue lies with them. Talk about a nightmare!

Reply

Mike Wasylik June 2, 2010

I’ve got some really odd symptoms on this one.

First of all, I can’t find ANY rogue files whatsoever, nor any unexplained database entries. But for a Google search using the SITE: parameter and some well-chosen drug names, this hack doesn’t apper to infect my site at all.

But here’s the weirdest part: I go into Google Webmater tools, and view my site as Googlebot… and nothing. No spam, no hacks, nada. And I’m hitting the same pages that a Google search tells me ARE infected. I THINK Google’s re-indexed these pages already, although I can’t be sure.

So what now?

Reply

Chris Pearson June 2, 2010

Mike, I bet Google is showing you cached versions of those pages but not telling you that the page is actually cached. As long as your home page and sitelinks are not infected, I think you’re probably fine.

Reply

Derick Schaefer June 2, 2010

Mike,

I have seen this before. Here are a couple of things to do. First, go to http://www.submitexpress.com/analyzer and see what the various “bots” it simulate say. This will tell you whether it is simply Google’s cache or whether the hack is diverting crawlers only. If it comes up with your regular title, then you should be fine. If not, here are two things you can look at.

1) locale.php is a file used for languages and locales. I’ve seen where they drop in an encode64 (long ugly string) or simply spam links. Replace that file with an original from your version of wordpress or search through it and look for ugly stuff.

2) if you have SSH access, you can use the “cd” command to go into your worpdress install and use find /wp-content -name ‘*.*’ -exec grep -l ‘viagra’ {} \; (where viagra can be replaced with the spam words you are seeing). This will list the file. Another search would be – grep “base64_decode” *.php which will pull any files with encode 64′s in them. wp-app.php should be the only one pulled and it has two instances.

Let me know what you find.

p.s. – Chris, sorry for putting the word ‘viagra’ in your blog! LOL

Reply

Nissa June 7, 2010

Hi Derek, thanks for posting this. It helped me find the problem.

Three things to note – none of my infected files were in /wp-content, so this only worked for me when I searched for base64_decode in the root. Also, I’m a noob, so I didn’t realize that when I copied from the comments, I pulled the fancy quotes with it, breaking the ssh command. Changing all the single and double quotes to their plaintext versions worked perfectly.

And last, I also found instances of base64_decode in the class-simplepie and class-IXR, which seem legit.

Thought I’d note my changes since they seem to have helped and since others might run into similar problems.

Thanks again!

Reply

Derick Schaefer June 7, 2010

Nissa, I am glad to hear this. The attacks are nasty! Yes, stumbling around in a SSH is not the funnest thing even for those who used to play a UNIX admin on an 80′s sitcom (meaning, forgot more than I’ve learned in past 15 years). :)

The beauty of blogs and communities is that people share and with all of this info we all find our way. Let us know what else you find and I will take a look at the files you mention and see how we encorporate into future revs of malwatch.

Mike Wasylik June 3, 2010

Chris,

That’s what I’ve got my fingers crossed for – a lagging Google cache. I’m just trying to figure out if I’m infected or not, and it’s not easy.

Derick, Thanks for the link. I’m off to try that next. I’ve already grepped every file in my directory – including hidden files – and have found nothing so far.

Reply

Evan June 3, 2010

The first thing you should do before cleaning up the db entries and rogue files is to start blocking bad IPs. Check your logs for IP addresses cloaking themselves as google bot. Trace the IPs and if they don’t come back google, block them.

I saw the same IP address come through and hit all of my domains at the same time. After blocking that IP, I was able to clean out the hack. I have been going back everyday and checking logs to make sure they don’t start using a new address.

Reply

Nissa June 7, 2010

Thanks for this post and thread. None of the solutions in the post itself helped me, but one of the comments really did.

One thing I wanted to point out about my situation that I haven’t noticed mentioned elsewhere was that since I was verifying Google Webmaster Tools with a meta tag in the header, my site became unverified. That was my first clue about what the problem was, and it’s also how I know that I’ve (hopefully) successfully fixed it.

I didn’t have any of the obvious hallmarks – no files with funny names, no markers in my database, nothing. However, when I SSH’d in to my root directory and used this command:
find . -name ‘*.*’ -exec grep -l ‘base64_decode’ {} \;
(make sure the single quotes aren’t fancy quotes if anyone tries to repeat my success)
I found a handful of files that included that phrase.

One was in root, and had a line of gibberish code (main.php). A line was in wp-load.php – with another line of encoded code. And a third was in a file in wp-includes called script-runner.php (easily confused for the existing script-loader.php) and it had a heck of a mess that appears to have been doing much of the heavy lifting.

There were a few other positives as well, but they seemed okay – I killed any plugins and extra themes that showed up, and replaced any WP files with clean originals.

So deleting main.php, script-runner.php and killing that line in wp-load.php seems to have fixed it. My site verifies again, which means Google is pulling the correct headers, which means hopefully the search results will correct soon. Fingers crossed.

Thanks a ton for your hard work, Chris, and to Derick Schaefer for posting the command that helped me find the source. Hopefully it’ll stay dead. Terrifying not to know how they got in in the first place, though. I’ve swapped the passwords I can swap.

Reply

Jehzeel Laurente June 7, 2010

this post just helped me today. damn that phrama hack! thanks chris!

Reply

Vincent June 13, 2010

Great Post! Just got rid of my mine!! Seems it was new variant of the pharma hack.. Gave up eventually and had to get the help of a coder that gladly did it for 25$ (best money spent in a while).

Here is a list of the files that were infected in my case:

* in the root was a malicious file called “core” with no extension.
* wp-blog-header.php was infected
* a lot in wp-content/plugins/translator
* as well as in wp-content/uploads/2008/03/thumbs.php

Regards,

Vincent

Reply

Hans-Peter June 14, 2010

I got caught already twice with this garbage. Anyhow, I got this solved as soon as I started installing wordpress not with the default configuration. Just name the table – when installing wordpress – other than wp_ call it wp_342_xyz_ or so, this way they can not guess the tables. The second thing I do is to rename the user “admin”, helps too.
Glad you brought your website back. The tips are awesome.

Reply

Simon June 14, 2010

My site’s been infected for a little while now, but unfortunately none of the tips mentioned here have helped. However, I did find some suspicious-looking entries in my database:

None of the searches suggested by Chris yielded any results, but those files do look kind of suspicious. I don’t want to go deleting entries in my MySQL database without knowing what I’m doing, though.

Reply

Rhonda June 15, 2010

Thank you SO much for this post, it’s been a huge help! I’m trying to fix 2 wordpress blogs that have been hit. I went through one and found a bunch of the files listed here and deleted them. I then went to the submitexpress.com/analyzer that Derick above recommended and it’s coming back clean, where as the 2nd blog I haven’t touched yet still shows all the drug names and titles. So therefore I’m hopeful I’ve found the problem. :)

Searching on Google still shows the hacked results….typically how long does it take Google to re-cache results so I will know? Anything I can do to speed up the process?

Reply

Derick Schaefer June 15, 2010

Rhonda, that is great to hear. In my experience with this, a) you will not loose anything with the search engines or be penalized and b) it will take Google anywhere from 5 to 20 days to recrawl this. How can we help get Google’s attention? Twitter is a good start. Tweet out a “I got my blog back”. Keep it short and put the long link to your URL. include @orangecast in the Tweet and we’ll re-tweet from a few accounts to get as many of those search engine crawlers on it as we can. No guarantees but that will definitely get bots on your site.

Reply

Rhonda June 15, 2010

Wow, Derick, thanks for the super speedy response! I’ll begin the anxious waiting game. :)

Reply

Sal November 16, 2012

Hello,
Thanks for the informative article about the 5 security tips to take in protecting a wordpress site. Unfortunately, I did not discover this until after my site was hacked.

Reply

John Richardson June 15, 2010

Chris, with the advent of Wordpress 3.0, will it be vulnerable to this attack or have they added new security precautions? Do we need to modify new installations (table prefixes etc) to help prevent this? Thank you so much for your help here. This thing has been a nightmare.

Reply

Michael Heald June 19, 2010

I just had to drop you a message to say thanks! I’ve spent the entire day trying to figure out what had happened to my site and this fix (at 2am) finally nailed it.

THANK YOU VERY MUCH!

Reply

Remi Christensen June 22, 2010

Good luck you found out so early. I had a site totally smashed with injected code so every time someone visited, they where getting malware on there computers and coz I was away on holiday for a month, when I came back home, my site was delisted in both google, bing and yahoo. Took me quite while getting it back up running and wrote to google for please include my site again. But good luck today is no worry and I learnt the hard way. Never leave your site unattended for a month, no matter what rock you might stay under, it can suffer your buisness bigtime :)

Reply

Jillian June 28, 2010

Thank you SO much for your clear and concise directions. I have spent the last day and a half trying to clear this up.

Wow. Thank-you again.

Reply

Jillian June 29, 2010

I should also mention that my particular crank file was called ext-akismet.php …

Reply

giulio June 29, 2010

thanks, this is of great help.

beware malicious hacks can appear with *any* plugin!!

Reply

Rhonda June 29, 2010

So I’m back. :(

After following the instructions above I was able to clean the two hacked WP blogs I was trying to fix. However, they both got hacked again within just a few days; but WP 3.0 had been released the day I ‘fixed’ them, so they had been fixed on the old version of WP. I had also installed a few new plugins (a backup and a security plugin) and (stupidly) forgot to tighten down permissions.

So I run through the steps again, upgrade to WP 3.0, delete hacked files and make sure all plugin permissions are tightened. Running them through the metatag analyzer comes back clean. After a few days the Google search results are really clearing up; things look great, I think I’ve solved it.

A full week goes by and just for kicks I check the sites on the analyzer again, and one of the sites had been hacked again. I think I caught it early b/c the search results were still appearing normal. This time ironically enough it was the WP Security-Scan plugin I installed that got hacked. I’m really confused how, since it had the recommended 755 permissions, as did the entire plugins folder . The only thing I can think of is that that plugin hadn’t been tested/upgraded to work with WP 3.0.

I was able to again run through the steps, find and delete the files (I ended up deleting the security plugin, just in case of the version compatibility), and again things appear normal. Question is, have my fixes only been temporary b/c of the new WP version and incompatible plugins, or could there more malicious code hidden that is causing this to keep happening, in spaced out intervals? I’d really prefer to not to have to run this fix every week. :) Nobody still has any idea how this happens in the first place?

Reply

Derick Schaefer June 29, 2010

Rhonda,

I am sorry to hear you are having so many problems. I have seen this before. Generally, the scenario such as yours is the result of the hacker getting in at the hosting level and if the hosting is shared it might not be on your vhost but they find their way in there. Not to belabor on this comment but we have a bunch of research we did and definitive proof that when you keep on getting hacked, hosting is the issue. We also switched up hosting and have a great solution working right now. Unfortunately, it is built on MT’s VE server which requires UNIX skills to make work.

Talk to your hosting company and/or consider shifting things up there.

Reply

Rhonda June 29, 2010

Wow, once again thank you Derick for such a quick response! Well I guess it would make sense that there is a hosting issue. These aren’t my sites, but I know the owner has had some issues in the past with Media Temple (current host). We’d talked about trying out a new company but I wanted to see if I could fix things before having to switch everything over to a new place. Looks like it might be the next logical step. Thanks again!

Reply

Evan June 29, 2010

I’m on MT GS and the only way I got the hacks to stop was to block bad IPs seen in the server logs. Only after that, I was able to clean out the hacks and stop them for good. Look for IPs trying to spoof googlebot.

Reply

Rhonda June 30, 2010

Grrr….got hacked AGAIN. Good news is I can ‘fix’ it very quickly now, but I don’t want to have to babysit this so much.

Any tips on how to spot and block bad IPs? I’ve never done anything like that or with service logs, but am very good at following directions. :)

Reply

Derick Schaefer June 29, 2010

Ironically, the grid service was one of the ones we found problematic. I really like MT and think the world of their VE offering but the general population grid was flagged on several fronts from our security analysis.

We’ve had zero issues from a security perspective and hit a high watermark of 2,600 concurrent users on their $100 a month offering. The $30 offering is good for 500 concurrent users which is plenty for most blogs. As I said, after over 3,000 different vulnerabilities where scanned for, we came back with 1 low priority issue that we knowingly introduced for performance.

If I can be of any help on the config, reach out to me on Twitter @orangecast

Reply

(mt) Travis June 30, 2010

We would be very interested to find out a little more about your security analysis of our (gs) Grid-Service. Would you be open to sharing your testing proceedures and results with us? Obviously we don’t want to expose any of our customers to security breaches and we take every step necessary to close up any security holes in our system. If you’re finding something that we are not, this is something that we would be very interested in working to fix. Please reach out: travis at mediatemple dot net. I look forward to hearing from you.

Reply

Derick Schaefer July 29, 2010

Travis,

Sorry for not responding to this. I literally didn’t see it. I can connect you with the company that did the scans for us. They know their stuff and it is very affordable. Contact Mike Robinson in your own company as he has my contact info and can put you in touch with me.

I do want to re-emphasize your statement that you guys are committed to customer service and wouldn’t knowingly leave an issue out there. I’m definitely an MT fan!!!

Reply

Craig July 1, 2010

I’m on MediaTemple GS and I found some of the malicious database files (and deleted them), but I’m not seeing any weird stuff in the plugins folders. I also checked my “uploads” folder for .giff and .pngg files as suggested by a 3rd party Wordpress tech help outfit. Any advice on where this other nasty stuff is hiding?

Thank you, Chris and to everyone who is trying to help.

Reply

Pavel July 1, 2010

I discovered the problem on a blog to – and I found it in various plugin folders – even in plugins subfolders, like a /js folder that should only have contained .js files.

Sociable was actually one of the too…

But I can’t seem to be able to clean out everything in the database. I deleted everything inside the /plugin folder, and started cleaning the database. I get a lot of rows like these:

rss_3e0f35d9b97106aaefb4341e67c31adf

I clean them out, but they keep regenerate it self and keep coming back.. Are they generated from something else than the malicious file in /plugin folder ? Anyone had the same problem ?

Reply

Techtalkis July 2, 2010

One of our WP3.0 blog was getting hacked again and again inspite we reinstalled with version3.0
Today i found the hackers code in option# wp_check_hash and # class_generic_support in database like you stated in your post.

I have deleted them and hope that our blog won’t get hacked again :)

BTW these hackers are getting smarter day by day.

Reply

Tech Talkies July 2, 2010

One of our WP3.0 blog was getting hacked again and again inspite we reinstalled with version3.0
Today i found the hackers code in option# wp_check_hash and # class_generic_support in database like you stated in your post.

I have deleted them and hope that our blog won’t get hacked again :)

BTW these hackers are getting smarter day by day.

Reply

Shawn July 11, 2010

How are they getting into the database, do they have access to your server?

Reply

Derick Schaefer July 2, 2010

We just released WP-MalWatch 2.1.2 this morning. This includes a keyword scan for header, footer, and index.php files as well as a scan for general “monkey business” in the locale.php. If you configure the keywords for words like “cheap software” and “viagra” it will scan every night at 4AM and if they drop these in there, you’ll get a notice in the WP Dashboard and can go get them out.

Our next release will come crawl your blog like SubmitExpress and give you that info in your Dashboard so you don’t have to go visit that site. Probably a month out on that one…life is busy.

Reply

David Dede July 10, 2010

This pharma hack is very common nowadays and in addition to the tips provided, you should also look at other places for these spamming keywords.

-general-templates.php
-footer.php inside your themes.
-Inside any plugins, they are now “patching” valid files.

Also, as far as detection goes, we offer a web-site monitoring solution that detects those spams (along with malware, etc) and alert and fixes for you if your site gets hacked.

Reply

Cory July 12, 2010

This was SO helpful! I got one of my sites hacked and another site only mentioned the SQL command looking for rss_% but not the other commands or anything about the hidden files.

You’ve just earned yourself a return visitor in me :)

Reply

Forrest July 13, 2010

I had a very similar problem to the one you described, and I didn’t find any suspicious files but did have a swath of malicious MySQL entries. Thanks very much for this post. I removed everything, and used Cloaking Detector to establish that google is now seeing the correct info.

I have been getting a few reports, though, from users who say visiting the site has been and is still activating their virus protection; Google hasn’t unlisted us, and at least on my Mac, nothing virusy or otherwise abnormal happens when I visit the site (link in my name). It definitely corresponds timing-wise with the Pharma hack, but even though the google results are now fixed this still seems to be happening for some people.

Any idea what this could be? I’m a complete novice at internet security and have been doing my best to bone up. But it’s very demoralizing; I was so relieved to have finally solved the google problem, and now more e-mails that we’re triggering virus scans and trojan warnings. I feel overwhelmed!

Reply

Rich July 14, 2010

Silly question, but once I’m gone through all the steps – do I need to do anything to the posts for google to re-index them properly?

I’m guessing if I’ve successfully removed the hack, the slugs/urls of the posts will return to normal?

Thanks for all the help by the way.

Reply

Rhonda July 16, 2010

Hi Rich,

No, you don’t need to do anything except be patient to have google re-index your site. In my experience in dealing with this, the more traffic you have to your site, the faster the search results will clean up. If you haven’t, I’d recommend going to the meta-tag analyzer to make sure your site is clean and the correct information is being displayed. Then just wait for results to show on google.

Reply

Jeza July 19, 2010

Thanks for the tutorial. Im constantly being attacked by the same guy over and over. Ive secure the .htaccess file and now i’ll keep this tutorial for a just in case, thanks chris

Reply

Darren July 22, 2010

Thanks for the post – just finished cleaning up a site of the same problem. Looks like the hack has changed somewhat. Here’s some notes:

- The hacked plugin was feedburner_feedsmith_plugin_2.3
- The extra file added was “ext-feedburner_feedsmith_plugin_23.php”. Note the extension “ext”

Finding the hacked file was rather difficult.

The first challenge was reproducing the hack so I could confirm that it was fixed. I tried changing my user agent (in Safari, via Developer tools) but that didn’t work. The best way I found was to use the “Fetch as Googlebot” Google Webmaster Tools. Using this tool I could enter a URL that I knew was hacked and it would fetch it as the google bot. I could then confirm that it had the spam inserted so I could be sure that whatever fixed the problem actually fixed it.

I then disabled all the plugins to try re-enabling them one by one to find out the hacked plugin. This didn’t actually do anything. In order to determine the hacked plugin, I moved all of them out of the plugins folder, confirmed via Google Webmaster tools that the problem went away, and then I started adding plugins back in one by one until I found the one causing the problem. I then redownloaded the plugin, and everything is back up and running again.

F***ing spammers!

Reply

Bratu Sebastian July 23, 2010

Well, that solves the hacking problem, and that’s why you should build your own blogging platform, if you have the expertise!
I am really thinking of making some tutorials on this!

Reply

Dave July 27, 2010

Wow, I didn’t realize this was a global attack. I had my site hacked back in the beginning of May, and quickly fixed things. And my webhost had no information to offer on the matter. Shows how “in-the-know” they are. Interesting thing I should note – my blog is setup as a sub-domain of my main website address, and yet somehow the hacker injected the pharma crap search results into my main website address (but nothing actually resided in the folder it was showing in search results). I ended up having to do a removal of about 500 URL’s from Google Webmasters tools. Keep your sites secure people!

Reply

Benjamin July 29, 2010

We’ve struggled with this mightily a number of times this year. Thank you so much for the post. One question, though. A number of people describe how the hacked files are named. But what do the files actually look like inside?

Reply

Derick Schaefer July 29, 2010

Benjamin, I hate to say this but it really depends. I’ve seen anything from encode64 contents that do nasty things to flat out PHP instructions. One thing you generally see in the code is some sort of redirect, placement of links, or title tag changes. They usually looking to clip page rank or traffic for their online marketing efforts.

If you have been constantly struggling with this, you likely have a hosting problem. We’ve just finished backing out a vps build of Ubuntu that passes a scan test of over 3,000 vulnerabilities. On the server we got hacked on repeatedly, we had over 250 “vulnerability issues”. Once we got away from it, the world got better.

Reply

Benjamin July 29, 2010

Thank you, Derick. I wouldn’t call it a constant struggle, but it sure feels like it today (and yesterday)! We’re still cleaning up this one, but looking at my database backups today as well as seeing your comment about servers has me wondering something. Do you think my SQL backups of the database which are stored on the server might be a great place for the bad guys to store executable code? Do you think I should store the backups elsewhere, or is this the paranoia that’s setting in?

Reply

Derick Schaefer July 29, 2010

I don’t know that they’d be tinkering in the backups but you want to backup up that entire WP install to somewhere with some 9′s of reliability. Amazon S3 is dirt cheap and with this nifty plugin it will take everything from plugins to themes and uploads plus the database and keep it safe. At .15 per GB per month, daily or weekly backups are a no brainer.

http://www.webdesigncompany.net/automatic-wordpress-backup/

One thing you can do is open the DB backup file and make a scan through it to see if they have messed it up. It is a text file so you can go through and remove things and then restore.

Reply

Mike Wasylik August 1, 2010

Here’s another link I ran across describing an instance of the pharma hack on Expression Engine. Worth reading.

Reply

Lennie Jarratt August 2, 2010

I have one of the hacks for the second time. I found it easily the first time, but can’t find the bad code this time. Any help of a code that can help would be appreciated.

Reply

Stefano Maffulli August 6, 2010

I think I found the entry point of the bastard. Before you start the cleanup you need to identify how the system got infected. After much struggle, I think I have found something very strange (see below). I will report my further findings.

http://maffulli.net/2010/08/06/getting-busy-on-the-blog-for-the-wrong-reasons/

Reply

Josh August 6, 2010

Hey Chris,

Thanks for the well-written post on the pharma hack. I had several blogs that were rocked by this cleverly disguised malware. I’m still working through some of the repercussions 3 days later.

Better yet, I already had the security tips you referenced in place, with the exception of the .htaccess file and I still suffered loss.

My advice for Wordpress users is to download Wordpress File Monitor. It tells you when any of your files (like Javacript files) are modified.

Josh

Reply

carson August 9, 2010

Thanks for this tutorial, it save my butt on another site.

Reply

jenny August 18, 2010

Great post! Very informational for WordPress users like me, luckily i haven’t encountered “this” yet. The part about sneaking into your site to enjoy a hitch in highest-ranking page really gives me the creeps. Well thanks for this and I’ve got a counter measures.

Thanks A LOT!

Reply

Eddie Gear August 21, 2010

You will not be surprised I fi said that I had one of my sites hacked in a similar way. I found arabic characters or something similar at the footer of one of my websites. After extensive analysis, I figured out that one of the plugins that I used was hacked and it kept adding the text to the footer inspite of me deleting it many times.

Reply

Yuriy Romadin September 14, 2010

Hacked plugins is very dangerous thing. ’cause that, I don’t like to use some suspicious plugins.

Reply

Dipankar September 20, 2010

I upgraded my plugins before I actually looked for the .cache.php kind of files. Now it is not there anymore. Is it safe to clear the database?

Thanks again for the great information.

Reply

Chris Pearson September 20, 2010

Dipankar, clearing your database is a major ordeal, and you do not want to clear the whole thing. Basically, doing so would require you to rebuild your WordPress site from scratch, and that’s probably not something you really want to do.

You can, however, clear out any database fields inside the wp_options table that fit the criteria I described in this post.

Reply

Dipankar September 20, 2010

Chris, the malicious entries in the DB kept regenerating and I couldn’t find any malicious files in the plugins folder (I looked elsewhere as well) and in the end, I saved my DB and the uninstalled WP completely and reinstalled it. This time when I deleted the malicious entries in the options table, it worked. It was a pain but quite a good lesson. I noticed that the site had been hacked when Google traffic drastically dropped.

Lastly, I checked as Googlebot and now I see that the pharma hack is gone. Google has reindexed my homepage and some other pages but I am waiting for the rest of my pages to be reindexed. Patience has its fruits.

Thanks again Chris for the awesome information.

Reply

Derick Schaefer September 20, 2010

Chris, I wanted to follow up on this post since in earlier comment discussions we had some discussions around hosting and specifically shared hosting vulnerabilities.

We did finally open HostCo to the public this summer and got a great review at the Blog Herald. As the Herald’s review states, each VPS goes through a scan of over 3,000 vulnerabilities from Site Security Monitor’s services and we’ve gotten our LAMP stack down to one low severity issue.

I can say that several of the blogs that have come to us this past quarter where having repeated issues with attacks and these went away after the switch.

Obviously, for a large part of the population, the price point of such hosting isn’t within the budget. I can say that the scanning and malware services of companies like Site Security Monitor are and that might be an option.

Reply

max engel September 21, 2010

i recently also found myself victim of this hack on one of my sites. i also noticed a corruption in the 404.php file in the directory for my theme.

Reply

Gary September 23, 2010

I thought I was the only one with this problem. Thanks for the info.

Reply

Eric Boyd September 29, 2010

Looking am/*was*/help? – to buy DIYthemes Thesis. I read this post about an hour ago. Guess what, the DIY website pops open a new tab automatically ( only showing DIY or maybe this one very breifly as it expands into view ) then POOF at full size and erect is a dinky pesky PHARMA website hocking its goods. 3x now! UGH, Yep, please update. I’m new and can’t deal with hackers. Code ok? I “probably” won’t be a ‘popular’ target for traffic jackers tho either. but, pesky, and not pro at all & i’ve got 2 clients to do work for yesterday. Time now 0110 hrs pacific Wed. 9-29-10 ->Eric Bravo – Now a full imersion wordpress newbie, not a coder.

Reply

Karen Hird October 8, 2010

This post has been so helpful. My site is not a wordpress site but a PHP site. This i found very strange and would love your comments on it. The problem now is that i have removed the hack and changed hosting companies to a more secure environment. The problem being is the after mass, i am left with a site that shows the hack in the title tag when you type in http://www.caremorstairlifts.co.uk the pharma viagra title, and it is still there in the cache.

My question is when will this disappear for good, and when will i get my ranking back. After all we all rely on the business our sites produce and i have no enquiries at all this week.

Reply

Cindy K October 17, 2010

Thanks so much. Mine came in on Akismet. I remember an update a couple of days ago. Maybe it wasn’t genuine?

Also, may I add the date of the file can be very helpful. There had been few changes over the last couple of months, so I only had to search those plugins after the date of concern.

The rogue file was named legacy.akismet.php I deleted it, but think as a precaution I will completely uninstall and then reinstall the spam filter. (Not at all happy with Akismet, btw, but there seem to be few options.)

Now I get to go play in my database. I hate playing in my database. *wimper*

Reply

Sumon Khan October 24, 2010

It’s really great and awesome ! Thanks for share this !

Reply

Angela October 24, 2010

Hi,

Thanks so much for taking the time to write this out. I have this going on with my site, but it’s only happening on Bing, not Google. Do you know of a Bing Spoofer? Thanks!!

Reply

Phillip Niemeyer November 30, 2010

I spent the weekend (late November 2010) removing a pharmahack from a WP blog, and could not have done it without this post and all the comments. Thanks!

The pharmahack I removed was not in the plugins folder. The hack files were placed in random parts of the WP directory: both core WP and in the Content directory. The wp_blog_header.php was corrupted.

I found three bogus files in the Twenty-Ten theme that comes packaged with WP 3. Some of the malicious file names:
func.php, ajax.php. I located the files by checking the date stamp of their last modification.

I am far from a computer pro. I could not have solved this without resources like this. Hope this comment helps someone else in turn.

Reply

James Marshall Berry December 3, 2010

Could all this have been avoided by making sure passwords for the DB and the login were secure? 10 characters, no real words, Upper and lower + special characters? Just wondering.. We dealt with this last year with FTP into webservers.. the hacking was brutal..

Reply

Bill December 7, 2010

hey thanks for the advice, we use wordpress for our blog so i am sure it will come in handy. I have bookmarked your site for later

Reply

Tim December 10, 2010

Thanks for the tips. I have had the comments hacked or spammers hack whatever it is where you get tons of spam comments and was wondering what everybody might be using for a spam filter besides the default WP? I’m going to install one of the spam filter plugins hopefully it works better :)

Reply

Prakash December 15, 2010

Hey Chris,

Nice post as always buddy. Great job of posting this sweet tutorial which has the more informative notes on how to diagnose & remove wordpress pharma hacks. It also has the effective steps & clear illustrations which make me clear with it.

Thank you so much for sharing such a wonderful posting. Keep on posting good stuffs like this always.

Reply

zach December 21, 2010

Thanks for the tips. Its kinda ugly & damaged our reputation if we not remove those pharma hack…. thanks again…. Can i share your article with my fellow friend?

Reply

Patrick Adair December 22, 2010

Hi all, I hope I’m not entering the conversation too late. One of my sites got ‘pharma-hacked’, and I’m a curiously vindictive bastard, so I decided to do a detailed analysis and rewrite of the pharma hack source code to see just exactly what it did.

It’s an interesting read, and I hope the information I managed to get out of it will help people figure out how to deal with these hackers and stop them.

Or it could just be an interesting read. :P

You can read the analysis here.

Reply

Alex December 31, 2010

Thanks for the post: your article provided a working solution to this problem. Considering the time i wasted on repairing a blog of mine, I seriously hope nothing good happens to whoever created this.

PS. Happy new year to you.

Reply

Guy January 1, 2011

You’re genius man!! I’m not computer savvy but the fact that you posted this site in 2006 and you’re still on top says it all. I recently came up with my own new product, It’s hasn’t yet been found on the web and I’m in the beginnings of marketing my product locally. My business consultant thinks it will go National and possibly International. Not one person has said anything negative about it and I know that a decent website and being on or near the top of the first page is key. I bet your a busy guy but if this thing goes like everyone says it will, I’d like for you to build my site. keep up the good work.

Reply

ArrGorilla January 11, 2011

Hi Chris, I had one site that I noticed had similar problem after reading your post. My site was not a popular one, but was a leftover site for a while. The hacker hacked into my site and put these links as h1 title in a WordPress hook.

When I realized this, I was completely shocked. I was been hacked, I changed my password to a strong one and removed the titles from the hook.

Reply

Bradley January 11, 2011

Thanks for taking the time to do the full write up with step-by-step instructions. A site of mine just got hacked and I followed your guide to the letter and hope it’s all gone. I’m going to go follow the prevention measures now …

Reply

Tom January 16, 2011

Didn’t see to many others ways to contact you Chris, so I’ll just start here. Just took over helping clean up our company site and database at work after problems with Help Me Rhonda & Goldstein Media (the initial design firm) proved to be unscruplulous and down-right dishonest. Not completely familiar with your theme, but I need to be…at least till we find someone else to manage it.
We’d like to know if this site has been registered with you, or has a string embedded which will identify this as a paid theme (either single or developer’s license). Reason is we’d like to verify it’s validity, then get the upgrade to 1.8 and access to the support forum. We paid way more than $87 for this theme. Hoping you got yours and we can get a little support. Tom

Reply

Chris Pearson January 17, 2011

Tom, your site has not been registered with us (because we register users and not sites). The only way we can cross-reference an account is by having the username or email that the person who bought Thesis used when they signed up. If you have further comments or questions on this matter, please direct them to diythemes@gmail.com. Thanks!

Reply

Tom January 16, 2011

PS: good article on the Pharma Hack. I had to deal with it twice last year, and our host wasn’t much help.

Reply

Dan January 26, 2011

At my web design company we do Wordpress blogs everyday. I am surprised that such a large scaled hack can do all of this. Thanks for the very detailed solution to this problem. If this ever comes up I will know what to do

Reply

Friendworx January 31, 2011

Hi chris,

thanks for that article. It was very helpful. We have been looking for a solution to solve that problem since we use Wordpress as a cms for our customers.

Reply

ik February 6, 2011

Bookmarked!!! great post…
thankyou for sharing!

Reply

Danny February 7, 2011

This hack is just crippling. Thank you so much Chris for being a guiding light for all of us that need your help.

Reply

sidney February 17, 2011

my blog has been pharma-hacked :( :( i did all the steps but wasn’t able to find any malicious files in the Akismet plugin folder or any of the rogue database entries you suggested search for in phpMyAdmin. what do i do now???

Reply

sidney February 18, 2011

the only hidden files i found in the Akismet plugin folder are “admin.php” and “legacy.php”…are those malicious files?? they don’t look malicious according to what you suggested to look for in Step 1.

Reply

Colin February 19, 2011

So I found the obvious malicious files, either the .bak or some stuff with base64 in it. I deleted all those. I also cleaned out all my plugins and can’t find anything there.

I also deleted all the bogus database entries that came up. It’s been 24 hours and those entries haven’t regenerated. Does that mean I killed this thing, and that my rankings in google should start to correct as they re-index, or is there a chance I’m not in the clear yet? I can’t say for 100% I deleted all the malicious files–but I think so.

I hope this is gone. I didn’t notice for a long time, and then I suddenly found out why I had lost more than 50% of my traffic.

Reply

معاكم February 22, 2011

Great security tip ! I’ll definitely take preventive action to avoid this on my site !

Reply

codesmith February 24, 2011

Thanks so much for this helpful post and comments – we just noticed we got bit by this. Not sure when it happened. A few more tips:

1) This is a great troubleshooting tool (without having to sign up for Google Tools) to view your site and test if you have or if you’ve fixed the problem. Just enter your url and then put in ‘Googlebot’ for the User Agent. Then look through the resulting code to see if you see the tag being rewritten.

2) We had malicious wp_check_hash, class_generic_support, and a rss_7988287cd8f4f531c6b94fbdbc4e1caf entries in our wp_options table. These were being loaded by a deactivated wp-twitterbadge plugin via an extra (not part of the original package) db-twitterbadge.php file in the plugin directory. Note: the date/timestamp had been changed to match all the other files in the directory so I would not have found this by just looking for a more recent file change.

Reply

Bruce February 25, 2011

Think we have been hit on a blog we own. To be honest not been near this blog for a while but did notice a large drop in search engine traffic not being passed on from this blog to my other blogs etc.

Think we have got it clean but my biggest problem now! When i change the file permission settings? Yeah I know forgot to alter them after install etc. My blog disappears and is not viewable

Any ideas would be appreciated

Reply

Christy February 28, 2011

Mine was hit, I noticed over the weekend. I’ve looked through plug-ins and my database. I’m not seeing much, I’m going to be mighty pissd if this impacts my rankings. Not that my rankings are even worth hacking. Argh!

Reply

Dana March 10, 2011

Hi there,
I don’t know if I belong here, I googled a problem I was having “Hackers sending emails for Candian Pharmacy” and your blog popped up and I can see you have helped tons of people. I am just a mom who’s overwhelmed and does some fb, email, and online homework. Have a little netbook and don’t know much about computers really. When I realized I had been hacked, I changed my password immediately, notified contacts, and got a new email address. I have McAffee security which says I have no threats but they didn’t pick up on this either… Do I need to do anything else? This was such a time consuming royal pain that I want to educate myself to avoid it in the future. I use gmail and have been happy w/it but read that it’s more prone to this specific hack technique. I tried a hotmail account but I am rural and use GSM and the email was SO SLOW that I went back to gmail which is like lightning compared. Well… any advice is greatly appreciated. Thanks!

Reply

Roger March 15, 2011

@Dana

This post and thread mostly address a hack of Wordpress blogs. This hack causes issues with a blog. It sounds more like you are having trouble with email. Most likely you have a virus or trojan on your computer. Hackers are adept at getting around security. You might want to try another security scanning app. AVG is free. Also be sure to update your PC OS (Windows) as often as possible since they patch breaches.

Reply

Luke March 27, 2011

Thanks for taking the time in writing the detailed step-by-step instructions. Few of my sites really needed this to be done to make sure i dont get hacked … Thumbs up!

Reply

Tom March 28, 2011

I’ve also discovered malicious code planted in unused theme folders, in the 404.php and footer.php files. I traced these when I found a request to /unusedtheme/404.php in a server log. It had a line of semi-obfuscated code with md5 and base64_decode functions. Details here.

Reply

Scott April 2, 2011

I purchased the Thesis Theme over a year ago, and I’m having problems figuring a few things out. First of all, I wanted to upload a custom header but I don’t see anywhere you can upload a custom header. According to the help section, there is supposed to be a way to do it, but I’ve spent several hours and am not able to do it. Also I lost my username to log into the the Thesis support section. When I put my email in the box to get my lost details it say’s that an email was sent with my log in information, but I never get an email; very frustrating to say the least. Some help would be appreciated.

Reply

Chris Pearson April 4, 2011

Scott, I sent you an email with your DIYthemes username and password. This article should help you upload a header image (the header image sub-panel link is in the Thesis section of your WordPress dashboard menu).

Reply

Scott April 4, 2011

Thanks for the responses Chris. I’ve read that several times, but I don’t have that option (or I’m blind as a bat). I don’t have a “Header Image Sub panel.” I’ve come to the conclusion that Thesis 1.6 doesn’t have a header image sub panel is that correct? From what I’ve found, I need to do it the hard way (ccs, custom file, etc). Am I on the right track?

Reply

Chris Pearson April 5, 2011

Scott, you gotta upgrade to Thesis 1.8! Haha—I had assumed you were running the latest version, as that’s a prerequisite for a discussion like this.

Reply

Scott April 5, 2011

Thanks for the lightning quick response Chris. One other question…When I bought the Thesis Theme, I remember it said something like “Lifetime Thesis Upgrades.” Doesn’t that mean I should get upgraded to Thesis 1.8? If not then what exactly does that mean?

Reply

Chris Pearson April 5, 2011

Scott, that means that you can log into the DIYthemes website at any time and download the latest version of Thesis. On the downloads page, you’ll find a helpful video that will guide you through the upgrade process.

Reply

Scott April 5, 2011

Thanks again for your “faster than a speeding bullet” response Chris. You might have just saved my life, or kept me from spending thousands of dollars in psychology doctor expenses. The thought of having to manipulate files through ccs and php (among other complicated jargon), to upload a header when the rest of the Thesis world are able to do it through the header sub panel was enough to put me over the edge. I now have a new lease on life thanks to you and Thesis 1.8. Thanks Chris…”You da man!” (-:

Reply

Chris Pearson April 5, 2011

You’re quite welcome, Scott—I’m glad you’re on the right track!

Reply

Sam Ni April 8, 2011

Thanks for the tutorial. Im constantly being attacked by the same guy over and over. Ive secure the .htaccess file and now i’ll keep this tutorial for a just in case, thanks chris

Reply

Fraser Hannah April 12, 2011

We mainly use Joomla as a CMS but do have a couple of Wordpress site that we have developed for clients. I had never really given a lot of thought to Wordpress security, until now! Thanks for the information.

Reply

Karen Hird April 12, 2011

Can anyone help me with this problem i have. I have a wordpress site and the site has risen in ranking but traffic has dropped significantly and i have checked my code and can’t find anything in the cod eof the site, but i have run my site for ten years and always have enquiries on a daily basis but now nothing for a week.

This just does not make sense i thought my site had been hacked and i still think in some way it has, but this is above my head, but i don’t know where to start. Checked my htaccess file and all seems ok but i am no expert but the 301 redirects all seem fine in there.

Reply

Roger Harris April 12, 2011

Karen,

Check your analytics (you do have analytics, right?) to check your source of traffic. If search engine traffic has dropped suddenly, you could have been removed from an index for some reason. Usually this is because of a hack, and the SE has detected malware. Sometimes a hack is not visible in your code. Type in your top keywords, including your website name, and review the results. I had this problem with one of my sites. Traffic fell off, but went back up after I fixed it. Hang on in there!

Reply

karen hird April 12, 2011

Just done a ranking report in Google and all my rankings on major keywords have moved up 2 to 5 places with the Farmer Panda change. So traffic is there 40 visits yesterday 35 today.

Any other suggestions? Had the Pharma hack last year so i know all abou that one it was awful, but i have checked all the code and two other web guys and the htaccess file and all looks clean. Something is wrong, use plugins as forms and i am wondering if it has anything to do with the forms being hacked.

Reply

Hafid April 15, 2011

Well, nicely. I’ve asking you for this Chris, when I search ftp_credentials, I’ve found: “ftp_credentials a:3:{s:8:” … ” so what I’am supposed to do… delete it? or how…

Reply

Joseph Hewes May 4, 2011

Cheers for the heads up on this one Chris- gonna check my plugin folder right away! Oh and thanks for the template- may well look in installing Thesis later on today.

Reply

Ian J Young May 18, 2011

Thanks for this. One of my WP’s site had been hacked and in the wp-includes folder was a class-php.php file. The culprit, along with some crap in the wp-options table.

Guess I will have to work my way through all my clients’ sites including my own!

Reply

kredacter June 21, 2011

When you identified rss _% not to delete in a wordpress data base, you did not include rss_use_excerpt. From scanning Google this appears to be a legitimate entry, involving a Firefox rss feed. Any clue whether this is correct? If so, it should be added to your list.

Reply

Chris Pearson June 21, 2011

kredacter, I mention rss_use_excerpt as a legit entry within the same bullet point that I mention the rss_% ;)

Reply

kredacter June 21, 2011

Chris– Thanks for getting back to me. You are so right. I must have read right over it. Also a big thanks; my sites had the pharma hack just as you described and I was able to remove it using your instructions. I took me awhile to find your site, but it’s bookmarked now. And I will definitely recommend it to others.

Reply

Khalid Muhammad July 10, 2011

Hello Chris & Derrick,

I have this pharma hack on my company website and have done all of the things advised in this post but am unable to find where the hack is and thus, how to fix it.

I caught it when I did a search on Google and found all the titles and descriptions had been changed to pharma information.

I have checked the following:

- Akismet plugin folder
- all other plugins
- theme folders
- the wp_options table (although its called something else in WP 3.2)
- header.php
- footer.php

Can one of you help me out if I give you access to my admin and mySQL database?

Reply

Fred July 12, 2011

I still don’t understand how they “Hackers” got access to your ftp and off course phpmyadmin through which databases can be controlled. Yea, i know you will tell that your site was hacked. but what i am trying to know is how? in order to prevent our WP powered sites from being hacked. still, its a nice read even if you don’t bother to answer my queries.

Reply

Martine August 6, 2011

I found the suspect file among core wordpress files it was called upg.php.

It started out as follows: <?php # Web Shell by oRb
$auth_pass = "";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace(…

I have no real understand of php – should I be looking in the database for something called "Filesman"? I haven't found anything in there as listed in your blog.

Thanks for writing this blog.

Reply

faxianhu August 13, 2011

It’s an interesting read, and I hope the information I managed to get out of it will help people figure out how to deal with these hackers and stop them.

Reply

Jonathan C August 29, 2011

Great article and very detailed solution to the Pharma hack, however, avoidance is by far the best strategy and locking down your htaccess file seems to be an easy yet effective preventative measure that should be pointed out to anyone reading this post.

Reply

miguel valero August 31, 2011

Thanks I have this problem right now I’m going to do all you wrote I hope to resolve the problem this way. Bye for now

Reply

Matt Fraser September 2, 2011

Chris,

This is a great post on identifying a “pharma hack”

Sorry to hear you got hacked but thanks for sharing how to clean it up and fix.

That being said, I’m about to release a Wordpress Security Product called Wordpress Security Lockdown.

You can check out the pre-launch page at http://www.howtosecurewordpress.com

If you’re interested in a review copy, let me know.

Regards,

Matt

Reply

Rahman September 2, 2011

Thank you for sharing the information and how to deal with the issue.
I’ve bookmarked this post to use it later in my periodic maintenance. Just a question out of curiosity:
How Akismet could be useful in preventing this hack?
Thanks for the reply,
Rahman

Reply

Frank September 12, 2011

Just found a new version of this on one of my sites. It uses the wp-includes directory and doesn’t seem to have inserted any of the code you mention into the db. What it did instead was place rss-widget.zip in my uploads directory, and the inserted an include in theme.php (in wp-includes) for a file called rss-counter.php. This file was full of evals and base64_decode calls. Anyway, it’s gone for now. Anyone else have a similar experience? I’m wondering if I’m missing something in the db.

Reply

Mark September 16, 2011

Hi Chris
Not sure if this thread is still running or if you’re checking in, but it looks like I was hit by this hack a few weeks ago and am still feeling the wrath of it.

I couldn’t find any of the rogue elements and have run the various diagnostics that have been mentioned in the thread and everything seems to be back on track now.

The only thing that remains to be affected is the actual google results, which appear to be a cached version of pretty much every page on my site.

I’ve asked for the cache to be cleared and the site to be reindexed via google webtools but I don’t know if there’s something else I should do.

In your first steps you mention that the removal of certain files will bring your results back into order, however as these files weren’t there I’m not sure if there’s something else I can do…

Help!!!!

(Thanks for the post btw… I’d have been completely lost if I hadn’t been pointed in this direction!)

Reply

Marie Gronley September 17, 2011

Very interesting article and something to re-read. We are going into our filezilla and going to check for these files! Thanks for the heads up!!!!

Reply

Marie Gronley September 17, 2011

Great I just checked my plugin folder and I am clean!!! My husband has 12 other sites he needs to check especially since he goes hog wild with downloading every plugin under the sun

Reply

tom altman September 22, 2011

It appears they may have upgraded this hack. I’ve been affected and I’m pretty sure they did access the database at all.

Anyone notice any other variants?

Reply

eric October 7, 2011

To pick a nit: If you don’t know how the exploit worked, you don’t know that people can prevent it in the future using the methods outlined in the linked post. Mind, they all seem like reasonable things to do, but from what I’m seeing so far it sounds to me like the most likely problem is a combination of inadequate directory permissions and some code-cleaning weakness in Wordpress.

Reply

Bob October 12, 2011

Another place to check is in your index.php file in the root of your wordpress install.

I found the following there
[code]
include("js/wp-admin.php");
[/code]

js/wp-admin.php was a script that ran
[code]
header("Location: http://www.example-site.com/lorazepam.html?aid=vleup");
[/code]

Scum…

Reply

Bob Dickinson October 20, 2011

Does this impact my indexing and SEO? I didn’t find any files in the public html but still having problems

Reply

Damian November 7, 2011

Would just like to say thanks for this post, we looked in our akismet folder as suggested by you and guess what was in there :(

this saved us a lot of time and this is our thanks for this great post

Reply

Daniel November 17, 2011

Wasn’t aware this was even possible

Reply

Stuart December 9, 2011

I had several blogs that were trashed by this malware last year and I am working on a clients site that has this problem. To prevent this malware hitting your site I downloaded Wordpress File Monitor. It tells you when any of your files are modified. Just my two cents!

Reply

Eagle Locksmith December 15, 2011

I haven’t been hacked yet but heard about this. This is a good source to bookmark. Better safe than sorry. Thanks for posting this.

Reply

Mike December 21, 2011

Thanks for this awesome article. I was hit with this and was able to find a file with the bit of base64 code in it and removed it but did not find anything in the wp_options table of the database looking like the possibilities you mention.

Any ideas?

Reply

Haneef Saleem January 16, 2012

Hello,
Thanks for the informative article about the 5 security tips to take in protecting a wordpress site. Unfortunately, I did not discover this until after my site (macleem.com) was hacked. Now if you try to visit any of the site’s legitimate subdomains or even an invalid one it redirects you to a viagra or pharma site. For example, a legitimate subfolder gets redirected to the viagra site…or if you try a similar folder that doesn’t exist, it will take you to the same viagra site.

At this point i am not convinced that the hack is integrated with Word Press, sine the word press blog does not sit on the root directory. Any suggestions you could offer to resolve this issue?

Also, I did find random eval() codes outside of the wordpress folder.

Reply

Pete February 15, 2012

Like Eyebeat and Roger, I am on Dreamhost and just discovered my ‘information_scheme’ DB has the “46esab” garbage in it.. of course we can’t touch that DB, so I contacted DH about it.. hope they help. Really crazy stuff. I killed a ton of old plugins and junk on the domain, and my current WP install “seems” clean.. so hoping its just what’s left in the DB. I should note, my actual site’s Wordpress DB didn’t have any indicators of the hack.. there was a secondary (old) database there that DID, and obviously the info_schema has it.

This post has been a life saver so far!!

Reply

Robert Williams March 6, 2012

We were hacked two weeks ago and your tactics have helped us. Thanks

Reply

Ian March 20, 2012

Hi

I have followed you guide which is great but… still having a problem

I have cleared all plugins on the site, and removed all the dodgy looking entries in wp_options in the db, but one still keeps coming back even after I delete it?

How can I get rid of this?

option_id option_name option_value

10853 rewrite_rules a:84:{s:47:”category/(.+?)/feed/(feed|rdf|rss|rss2…

Reply

Chris Pearson March 21, 2012

Ian, that particular db entry does not look malicious to me.

Reply

Hazlitt Eastman March 22, 2012

A company got in touch with me that had been hit with this kind of Pharma Hack. They had already changed the VPS, FTP, Database and Wordpress passwords and upgraded to the latest version of Wordpress. I changed the database prefix, added wp-config keys, .htaccess in wp-admin. etc… Then I went looking for the hack.

In this case there were no entries in the wp-options table and I downloaded the 160MB database and searched all of it for eval and base64_decode and in reverse. I didn’t find anything in the database.

What I did find was a .htaccess file in the /wp-content/plugins folder with the following directives:

RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteBase /
RewriteCond %{THE_REQUEST} /
RewriteCond %{REQUEST_URI} !/class-xml\.php
RewriteRule .+ wp-content/plugins/scribe/lib/ecordia-access/nusoap/class-xml.php [L]

And when I looked in the class-xml.php file hidden in the scribe plugin it contained obfuscated code.

Deleting these files has got rid of the hack.

Thanks for the original post and all the comments, it really helped me get to the bottom of what was wrong.

Reply

Sean Jackson March 22, 2012

Hazlitt, in reviewing the Scribe source files available from WordPress.org, the file you reference (class-xml.php) is not part of that distribution, nor has it ever been.

It would appear that someone added this file to the nusoap folder on your site.

Class-xml.php is not a part of the nusoap library nor was it included in any release of Scribe SEO.

Reply

Chris Pearson March 22, 2012

Hazlitt, I’ve seen the class-xml.php file before (as part of a hack), and it’s almost certainly malicious.

Reply

Jamie April 6, 2012

I believe I have this hack on my site. If you Google “Albrecht Kemper” you will see my hacked titles and it has to do with prescription drugs everytime.

I followed the steps in this tutorial but instead of searching through the plugin folders I just deleted them all and uploaded fresh copies. Then I searched through the database as described above and couldn’t find any of the above entries under wp-options –> option name?

Am I missing something? Doing Something wrong? Or do I possibly have a different hack going on?

Thanks!

Reply

Oleksiy April 8, 2012

Also this hack can add in file /wp-includes/wp-db.php line

@include_once $_SERVER['DOCUMENT_ROOT'].’/wp-includes/license.txt’;

remove this line and remove license.txt from current directory also

Reply

David Radovanovic April 30, 2012

Just got a “unnatural links” notice from Google about one of my client’s sites. I noticed several peculiar files and alot of *.php-e files. The latter seems legit though I can’t recall ever seeing a extension like that. Could they also contain malicious code. From first glance they seem fine.

Reply

Emanuel May 7, 2012

great post, finally I managed to get rid of it!
thanks a lot.

here’s a nice bot simulator to see if you got hacked:

Reply

Yossarian May 11, 2012

On WP 3.2.1 this hack can also add a file “wp-includes/default-core.php”

Reply

Yossarian May 11, 2012

On WP 3.2.1 this hack can also add a file “wp-includes/bookmark-plugin.php”

Reply

Brandon May 18, 2012

Several people have mentioned this plugin already, but I highly recommend the “WordPress File Monitor” plugin. It lets you know whenever any files have been added or modified to your Wordpress installation. It also monitors all plugins and themes also. When I was trying to get rid of the Pharmahack, this plugin would let me know when it had returned.

Reply

Jeremy June 7, 2012

Another iteration to post here for anyone who comes upon these instructions. I found the pharma hack being called in a htaccess file in the site root. It was calling wp-stat.php also in the site root. Deleted the bad lines from ht access, deleted wp-stat.php and all looks good. There were also a couple of the db inserts in wp_options as noted in the original post. Good luck.

The lines affected looked something like:

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|aol|bing|crawl|aspseek|icio|robot|spider|nutch|slurp|msnbot) [OR]

RewriteCond %{REQUEST_FILENAME} !wp-stat.php
RewriteCond %{DOCUMENT_ROOT}/wp-stat.php -f
RewriteRule ^.*$ /wp-stat.php [L]

Reply

trmash June 25, 2012

Hey, thank you so much for the concise tutorial.

I found out my site descriptions were being replace in Google with keywords that seemed to match the pharma hack. The first thing I did was change my administrator password and update WordPress to its latest version (I was a few days behind schedule on that step!).

Following your guidelines – and those of similar websites – I hunted high and low for any evidence of the pharma hack in my database and theme files. Confusingly, my searches returned nothing.

As suggested by Emanuel above, I ran some web pages that were affected in Google through a bot simulator and they appear to be clean.

Could my first instinct – to update WP – have somehow fixed the hack? Or am I back at square one because I have assumed it was the pharma hack when it may be something else?

Thanks.

Reply

Kev June 26, 2012

Google is telling me i have 4 infected pages.
I’ve folloewd their instructions (get virus checks etc) and all cam back clear.
But reading the info above b4 it got too technical for me (go into DB) ahhhhhhh I did notice i have 9 files in Akismet folder rather that the 4 suggested??
Is there an on line EVAL checker that a numpty like me can use?
Thanks

Reply

Charlie July 1, 2012

Hey Chris,

Any chance I can have you help me out with this? Recently noticed that my site’s a victim of the pharma attack — and I’ve searched my plugin directory high and low to no avail. Thanks in advance!

-C

Reply

Matt Smith July 10, 2012

Good write up. And thanks for adding the link to security tips. It’s good to understand the problem, but better yet to prevent it although. It’s unfortunate that Wordpress sites get hacked os often, but it’s still my favorite publishing platform.

Reply

DoctorPC July 20, 2012

thanks, I worked perfect

Reply

David July 23, 2012

I also found a file called wp_common.php that is infected and check for the following code in your .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC]
RewriteCond %{REQUEST_FILENAME} !wp-common.php
RewriteCond /var/www/vhosts/[yoursite]/httpdocs/wp-common.php -f
RewriteRule ^.*$ /wp-common.php [L]

Reply

Harmonie July 30, 2012

Finally, this post helped so much! I found the malicious code in root level files instead of plugins. What I did was delete all files in the root except wp-config and uploaded a fresh set from the latest WordPress release and fetched the site from Google Webmaster Tools and finally overcame the pharma hack. Thank you for the assistance!

Reply

sam August 26, 2012

I am atempting to remove the Codin Pharma hack from my wordpress site. Unfortunately when I search the database for the above queries I get the response “MySQL returned an empty result set (i.e. zero rows). ”
Am I missing a bit of information?

Reply

Cesar August 31, 2012

Great article about wordpress security, one of my sites has been affected by pharma hack, I didn’t find anything on the database, but I found a tmp folder with lots of files with links and a php5.php file inside. the first time I just erased those files, but they came back after a few days, so now I formatted my computer, clean my site again and change my hosting/ftp password often.

Reply

Emma September 25, 2012

I’m currently tinkering with a website affected by this on a friend’s behalf. Managed to remove a bunch of infected files and repaired an edit made to a core file, but they keep coming back (even after setting permissions for the core file to 444?!?!) and I can’t find a single bad database entry in wp_options – where could the backdoor be if not the database? This is infuriating!

Reply

QLStudio September 29, 2012

I have lost count of the hours and times I’ve returned to try to remove this plague… here is the latest and greatest run via SSH that helped locate the latest iteration of this slippery sucker:

find /path/to/site.com/ \( -name “*.php” \) -type f -print0 | xargs -0 grep –binary-files=without-match -ir “eval\s*(”

delete anything suspicious..

Reply

Colin October 6, 2012

Thanks for the great tips. I searched my database and didn’t find any of the rogue files you mentioned. Are there any other file names to add to your list?

Also, I don’t seem to have an active issue with the pharma hack, since I reverted my site immediately after finding it in the SERPs.

But random URL parameters that I found in Google Webmaster tools show the pharma stuff still if I search for the related obscure keywords in Google.

In other words, you can only see the pharma text (in the titles and URLs for my site listings) if you search for those random keywords specifically via Google.

And it only appears for page numbers on my Wordpress site. So I’m not sure if Google just indexed it a long time ago, and hasn’t removed the content or what? I told them to ignore the URL parameters that contained the malicious text, so we’ll see.

As it stands, I think I’m free of the hack, but I’m not sure.

Any tips would be greatly appreciated!

Reply

Jim October 13, 2012

I won’t be reading any other articles on your site because you don’t date your material. I don’t know if bloggers do this intentionally for some kind of SEO hack or what, but as a reader it ticks me off. Its horrible for me to look an article and not know how old the information is.

Reply

Chris Pearson October 14, 2012

umæd?

Reply

kat October 14, 2012

its clear to see in the url that this post is from april 2010

Reply

Sam October 14, 2012

The website I am having trouble with has a Buy Clomid in the google search results, but there are other symptoms to it too, and occasionally I am able to discover ‘clomid’ hidden in the database, but not any of the search options that are listed above.

When we are using wordpress to activate a plugin or save a post, we are redirected to an archived version of the index page with BUY CLOMID and a list of clomid this & that in the body of the page. We have looked all through the code files but we don’t recognize anything off beat. I am about to reccomend the site host start over with a fresh install of wordpres and a new database, but is there anything else we can do before we go that far?

Reply

Carper October 14, 2012

Jim its in the URL idiot

Reply

Karri October 24, 2012

Thanks for this post! Just spent the last 4 hours unwinding this crap from our site – would have been nearly impossible without your guidance and the info in the comments.

Here are the file names as I found them on my server:
r57.php (found in wp-content/uploads/2010/03)
wp-list.php (found in wp-content/uploads/2011/03)
php5.php (found at the root of my WP install)

Did not find any malicious database code (not to say it isn’t there… only that I haven’t found any yet!).

Fingers crossed this is the end of it! Thanks again!

Reply

nofway March 30, 2013

I hope you got rid of aII of it! I hate this JUNK!

Reply

Mike Baldwin February 1, 2013

So far, your article is the most helpful one I’ve found, but I followed all of these steps very thoroughly and I still have the exact same problems. Removed all plugins from my Filezilla FTP, deleted them from my Wordpress, then I accessed my MyAdmin through my host and was unable to find ANY of the above mentioned names.

Reply

michael wiechert February 3, 2013

Very helpfull, indeed, thanks.

Howether as a “non-technican” and as a user / blogger it is still difficult to find the infected files and to avoid deleting necessary code.

Reply

Matt February 14, 2013

This guide was great, my site got infected with this malware and I had deleted the whole site, restored it, then deleted it again and just imported the comments and it was still infected.
Turns out there was a hidden .htaccess file in the root of the server that I couldn’t see. Turning on hidden folders enabled me to see this and fix my issue.
Thanks!!

Reply

nofway March 30, 2013

Thanks. I reaIIy wish there was a way to figure out how your foIders were comprimised in the first pIace. This is a great tutoriaI. Appreciate your efforts and sorry for your troubIes, thank you for sharing it!!

Reply

kyle April 9, 2013

Thanks for the help!

Reply

Shannon May 2, 2013

Hi Chris, thanks so much for this article. It’s super helpful, although I’m thinking I need to hire someone to get down to the real nitty gritty of cleaning up my site. Do you recommend anyone who knows their stuff in this area? Thanks again.

Reply

Em May 16, 2013

Hey, our website description is appearing as Viagra ads, is there any other advice on changing this through GoDaddy? Thanks!!!!!!!

Reply

Sanjay Shenoy June 27, 2013

Excellent post Chris! I had a similar problem where one of my clients was hacked by sql injection. I cleaned up the mess and then installed this plugin called Better WP security. It does the trick to keep your website safe from hackers. The best part is it does all the things which has been mentioned in the the post which you have lined to about wordpress security and does a lot more than that.

Reply

Ramon Mizrachi July 7, 2013

For me this article helped me fix the issue:

Specifically, code was added to Funciton.php in my theme. The article describes what is the malicious code.

Reply

Pranav Vaibhav July 17, 2013

Hey Chris,

Thanks god, I never had to face such problem and touch-wood, will never ever face this in future, all credit goes to you buddy.

Remember the golden words “Prevention is better than cure!”

Your article is really very elucidative.
Not to forget, Comments too are conducive…

Reply

Joseph August 1, 2013

Thank you, thank you, thank you!!! I would’ve never thought about these idiots posting the offending code BACKWARDS in my database.

Reply

Rob August 26, 2013

Thanks for this great info Chris! I believe this site that I built has this hack, but I can’t find any corrupted files in the plugin folder…. I searched the MySql database and am removing the bad code from there. Is there another place I should look for those files?

Many thanks,
Rob

Reply

Chris Pearson August 26, 2013

Rob, despite what I said in the article, the hack files could be in any folder inside the /wp-content folder—and especially in your /themes folder.

If you have a lot of themes on your site, then it’s quite likely that one of these folders contains the malicious code (it could even be in your active theme files).

Reply

Rob August 29, 2013

Thanks Chris! I have looked all over and can’t seem to find the bad files… Do you have any recommendations for someone I could hire to do this?

Many thanks,
Rob

Reply

Chris Pearson August 30, 2013

Rob, the crew at Sucuri can help you out.

Reply

Brian January 16, 2014

If you have a lot of themes in your theme folder, then you likely have a lot of inactive themes. Copy those off somewhere else and get your site down to only active themes and plugins. A cleaner site is an easier to manage site.

Reply

Verbier Kev August 31, 2013

I gave up looking for the hacked files and like Chris mentions above get the guys from Sucuri to check your site, its 89$ for a years protection. They are very good and very quick.

Reply

Henry October 25, 2013

Nice explanation Chris, It really helped me to better myself when facing this kind of problems in the future.

Reply

Damian October 29, 2013

Thats for the tutorial dude, i know this is an old post but this virus is still doing the rounds.

Reply

Brittany November 5, 2013

I need help please! The Pharma Hack has leached itself to my companies website and I am not sure how to get rid of it. I have been searching through all the plug ins but I am nervous to delete anything. I do not want to mess up the website. ANY assistance would be greatly appreciated.

Reply

Chris Pearson November 6, 2013

Brittany, I don’t offer malware deletion services, but the fine folks at Sucuri would be happy to help you out.

Reply

Jason November 20, 2013

Thanks dude, I tried your solution, and couldn’t find the malware, but I googled it and finally came up with this website, my virus is the same as theirs:

Thank god! Finally clear the virus!

Reply

Pheonix Dude December 12, 2013

So how do you notice it if you don’t see it (only the search engines get the change)?

Reply

Chris Pearson December 13, 2013

Phoenix Dude, I noticed it because I check my search engine rankings fairly routinely. Simply doing a search for “Pearsonified” is sufficient in my case; I assume you have a similar search that could suffice for your site.

Reply

Steve February 18, 2014

After finding and removing this hack from a site, I thought I’d share what I found, since I found it based on this blog. In my case, it was an entry in the wp_options table. The option_key value was ‘_descriptioncharset1′, and the option_value was some both the inline js code that was being placed in the , and the actual message text. The key thing is, it was all backwards (here’s a sample):

>vid/p/a/”shn noitcnufsyd elitcere”=eltit “/moc.01silaic1x.26401www//:ptth”=ferh aa/”sekoj argaiv”=eltit “/moc.01argaiv03.05401www//:ptth”=ferh aa/”argaiv cireneg enilno”=eltit “/moc.>p<

Then, there was also a modifed line in the theme's functions.php (ProPhoto in my case), that got the value of that db record:

if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists('is_user_logged_in') && is_user_logged_in()) || (!$m = get_option('_descriptioncharset1'))) {
return $p;
}

Once I deleted the wp_options record (and removed the offending code from functions.php), the text went away.

Reply

Michael February 20, 2014

Ok, I know this is a relatively old thread, but it seems to continue to be relevant. My site has been impacted by this hack, but in an entirely different way that hasn’t been covered so far.

Since I don’t run WordPress on my site, I don’t think it has been infected. Instead, my site has been one of the links used in the hack… In other words, when I go into my Webmaster Tools accounts, I find over 100,000 links with the term “Buy Levitra” or “Levitra Online” all from WordPress sites that have been hacked by this…

Google’s recommend process for removing bad links is to first contact the website owner and then, if no remediation is possible, use their link disavowal tool. This is a daunting task that I’ll probably end up completing, but I’m curious to know if anyone has ideas on how I might mitigate or eliminate the problem altogether?

Reply

Stavid Devens March 23, 2014

This is an excellent post, however, I have one criticism. Just like every other post I have read on the subject it has blinders on. The Pharma Hack doesn’t consist of a a hack on a single site. To work the hacker has to hack other sites and create hidden lists in them. The hack is really a web of hacked sites. Some are HTML sites with hidden links and some have what you are calling the Pharma Hack. Until people like you stop treating it as a single site problem and get the big picture it will never go away.

Reply

Steve March 27, 2014

The sheer number of comments here make this page pretty hard to navigate in a browser. Maybe you should consider paging the comments?

Anyway, will the files always be in the plugin’s root directory or could they sometimes be in subfolders of the plugin?

Reply

Chris Pearson March 28, 2014

Steve, hack files could be in subfolders also, but you’re far more likely to find them in a root directory.

Reply

David Stevens March 28, 2014

I’m declaring this hack dead. It is too easy to find for it to survive much longer and I am starting to find people who can grasp this concept. It is a rich pool of information about hacks that will soon be lost. If you have any interest in this type of hack I suggest you start looking for them and start building a database about them. You will learn which host providers host the most of them, what type of webmaster is most vulnerable, the paths the hackers pick to store files, their SEO dictionary (Which will help locate more sites using a simple search.), and certainly much more than I have time to list or to discover. One question remains, why has this hack been around so long? I smell the blood in the water already.

Reply

Hoot and/or Holler

Previous post:

Next post: