Comments on: How to Diagnose and Remove the WordPress Pharma Hack

By: Haneef Saleem

Haneef Saleem — Mon, 16 Jan 2012 13:51:08 +0000

Hello,
Thanks for the informative article about the 5 security tips to take in protecting a wordpress site. Unfortunately, I did not discover this until after my site (macleem.com) was hacked. Now if you try to visit any of the site’s legitimate subdomains or even an invalid one it redirects you to a viagra or pharma site. For example, a legitimate subfolder gets redirected to the viagra site…or if you try a similar folder that doesn’t exist, it will take you to the same viagra site.

At this point i am not convinced that the hack is integrated with Word Press, sine the word press blog does not sit on the root directory. Any suggestions you could offer to resolve this issue?

Also, I did find random eval() codes outside of the wordpress folder.

By: Mike

Mike — Wed, 21 Dec 2011 17:30:11 +0000

Thanks for this awesome article. I was hit with this and was able to find a file with the bit of base64 code in it and removed it but did not find anything in the wp_options table of the database looking like the possibilities you mention.

Any ideas?

By: Eagle Locksmith

Eagle Locksmith — Thu, 15 Dec 2011 17:55:54 +0000

I haven’t been hacked yet but heard about this. This is a good source to bookmark. Better safe than sorry. Thanks for posting this.

By: Stuart

Stuart — Fri, 09 Dec 2011 19:32:22 +0000

I had several blogs that were trashed by this malware last year and I am working on a clients site that has this problem. To prevent this malware hitting your site I downloaded WordPress File Monitor. It tells you when any of your files are modified. Just my two cents!

By: Daniel

Daniel — Thu, 17 Nov 2011 18:16:06 +0000

Wasn’t aware this was even possible

By: Damian

Damian — Mon, 07 Nov 2011 09:22:35 +0000

Would just like to say thanks for this post, we looked in our akismet folder as suggested by you and guess what was in there :(

this saved us a lot of time and this is our thanks for this great post

By: Bob Dickinson

Bob Dickinson — Thu, 20 Oct 2011 18:52:07 +0000

Does this impact my indexing and SEO? I didn’t find any files in the public html but still having problems

By: Bob

Bob — Wed, 12 Oct 2011 09:57:09 +0000

Another place to check is in your index.php file in the root of your wordpress install.

I found the following there
[code]
include("js/wp-admin.php");
[/code]

js/wp-admin.php was a script that ran
[code]
header("Location: http://www.example-site.com/lorazepam.html?aid=vleup");
[/code]

Scum…

By: eric

eric — Fri, 07 Oct 2011 17:47:25 +0000

To pick a nit: If you don’t know how the exploit worked, you don’t know that people can prevent it in the future using the methods outlined in the linked post. Mind, they all seem like reasonable things to do, but from what I’m seeing so far it sounds to me like the most likely problem is a combination of inadequate directory permissions and some code-cleaning weakness in WordPress.

By: tom altman

tom altman — Thu, 22 Sep 2011 10:40:44 +0000

It appears they may have upgraded this hack. I’ve been affected and I’m pretty sure they did access the database at all.

Anyone notice any other variants?