Changing things a little bit today for the 100th post.
Lately I’ve been working on a WordPress site that had been hit with the Pharma Hack, or Blackhat SEO Spam, and I wanted to document what I found.
The Pharma hack is a devious little hack that adds fake/illegal/spam/ pharmaceutical content to your WordPress webpages, but only if your UserAgent is a search engine. This means that you, your visitors and everyone else won’t see the Cialis and Viagra content. Except Google.
One way to check is to do a Google Search like:
Short answer, by not keep your core and plugins up to date. This hack has been around for a few years and its footprint has changed to avoid detection, but the vector remains the (mostly) the same. Core and/or plugins that are both outdated and vulnerable.
Note the word “mostly”. Turns out even updated sites can be vulnerable if on a shared hosting that have vulnerable sites. I came across this disturbing news while researching my issue at sucuri.net (Cross-contamination).
While I can not come close to pretending how it all works, I will attempt to detail what I found, and what I did to clean the site. I should add I am a Drupal person. My WordPress experience up to this point is that of someone who can add a blog post.
I spent a lot of time on various sites reading about Pharma:
With this I was able to build a regular expression that search all the files in my WP site. I found 5 that were compromised.
Each of these files had a very long, compressed, encoded chunk of text added to the top.
I uncompressed and decoded the long string and have it saved here if you are interested, but the take away in the code is…if you are bot, show this:
<li><a href="http://touchlessdispensing.com/buy-genuine-viagra/">buy genuine viagra</a></li> <li><a href="http://www.vgtakesjuiceplus.com/viagra-hemel-hempstead/">viagra hemel hempstead</a></li> <li><a href="http://www.deathguild.com/cialis-20mg-2cp/">cialis 20mg 2cp</a></li> <li><a href="http://interviewbay.com/cialis-where-to-buy-in-canada/">cialis where to buy in canada</a></li> <li><a href="http://www.cursuriaerobic.ro/levitra-20-mg-uk/">levitra 20 mg uk</a></li> <li><a href="http://www.mileniatta.com/cialis-online-coupon/">cialis online coupon</a></li> <li><a href="http://www.insularhealthcare.com.ph/tadalafil-max-dosage/">tadalafil max dosage</a></li>
This part was fairly straight forward. Searching all the files with specific regular expressions, I found the (in my case) 5 compromised files, deleted the offending content, and put them back into the site. This was the easy part.
The next part was cleaning the database, specifically the wp_options table for the backdoors that may have been implemented. Following the above blog posts I had some guidelines to work with, but remember: I’m not a WordPress person, and this learning curve is steep.
This is actually turning out to be the hardest part. The WP core files and the plugins are still not updated. No, seriously.