Cleaning the Pharma

Changing things a little bit today for the 100th post.

Lately I’ve been working on a WordPress site that had been hit with the Pharma Hack, or Blackhat SEO Spam, and I wanted to document what I found.

What

The Pharma hack is a devious little hack that adds fake/illegal/spam/ pharmaceutical content to your WordPress webpages, but only if your UserAgent is a search engine. This means that you, your visitors and everyone else won’t see the Cialis and Viagra content. Except Google.

One way to check is to do a Google Search like:

inurl:domain.tld viagra

If you do find a page in the search index that has been compromised, you can:

curl -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" http://domain.tld/page

How

Short answer, by not keep your core and plugins up to date. This hack has been around for a few years and its footprint has changed to avoid detection, but the vector remains the (mostly) the same. Core and/or plugins that are both outdated and vulnerable.

Note the word “mostly”. Turns out even updated sites can be vulnerable if on a shared hosting that have vulnerable sites. I came across this disturbing news while researching my issue at sucuri.net (Cross-contamination).

Mechanics

While I can not come close to pretending how it all works, I will attempt to detail what I found, and what I did to clean the site. I should add I am a Drupal person. My WordPress experience up to this point is that of someone who can add a blog post.

I spent a lot of time on various sites reading about Pharma:

With this I was able to build a regular expression that search all the files in my WP site. I found 5 that were compromised.

  • wp-content/plugins/pagemash/pagemash.php
  • wp-content/plugins/wp-pagenavi/core.php
  • wp-content/plugins/wp-pagenavi/scb/BoxesPage.php
  • wp-content/plugins/wp-pagenavi/wp-pagenavi.php
  • wp-content/themes/choices/footer.php

Each of these files had a very long, compressed, encoded chunk of text added to the top.


echo(gzinflate(base64_decode('pRlrc9o69nN2......Xx29RURYWeSrw8T8=')));

I uncompressed and decoded the long string and have it saved here if you are interested, but the take away in the code is…if you are bot, show this:

<li><a href="http://touchlessdispensing.com/buy-genuine-viagra/">buy genuine viagra</a></li>
<li><a href="http://www.vgtakesjuiceplus.com/viagra-hemel-hempstead/">viagra hemel hempstead</a></li>
<li><a href="http://www.deathguild.com/cialis-20mg-2cp/">cialis 20mg 2cp</a></li>
<li><a href="http://interviewbay.com/cialis-where-to-buy-in-canada/">cialis where to buy in canada</a></li>
<li><a href="http://www.cursuriaerobic.ro/levitra-20-mg-uk/">levitra 20 mg uk</a></li>
<li><a href="http://www.mileniatta.com/cialis-online-coupon/">cialis online coupon</a></li>
<li><a href="http://www.insularhealthcare.com.ph/tadalafil-max-dosage/">tadalafil max dosage</a></li>

Sneaky.

Cleanup

This part was fairly straight forward. Searching all the files with specific regular expressions, I found the (in my case) 5 compromised files, deleted the offending content, and put them back into the site. This was the easy part.

The next part was cleaning the database, specifically the wp_options table for the backdoors that may have been implemented. Following the above blog posts I had some guidelines to work with, but remember: I’m not a WordPress person, and this learning curve is steep.

Moving Forward

This is actually turning out to be the hardest part. The WP core files and the plugins are still not updated. No, seriously.

Advertisements

2 thoughts on “Cleaning the Pharma

  1. I just did the google search on my wordpress blog – clean! (So far).

    There are some mighty tricky payloads out there now. I had a vbulliten site get hit with something similar in concept. Redirects to a malware site. It ONLY triggers if you are referring from one of the big search engines and don’t have a site login cookie set. Basically making it invisible to regular users and the site owners. Took me a couple of weeks to find out I was infected. 2 days of research and cleanup. I was able to prevent the malware redirect from triggering, but I haven’t found the code yet! The best that I can sort out is it’s advanced enough that it will inject the code into the render cache, making it non-existent in the database and filesystem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s