TABLE OF CONTENTS:
A few weeks ago, we received a request for Cleaning Pharma Hack in WordPress pages from one of our clients. While diagnosing their site, our WordPress experts encountered that the search results for the website looked more like a pharmacy business than a helpful Web resource. This web exploit was dirtying their SEO by targeting the Google SERPs, due to which their website was blacklisted by Google.
In this article you will learn more about Understanding, Diagnosing And Fixing WordPress Pharma Hack by cleaning up the database and infected files.
💊 What is A Pharma Hack?
WordPress Pharma Hacking is a kind of website spam hack that injects spam into WordPress pages and search engine results not visible to the normal user. The spam only shows up if the user agent is from Google’s crawler (Googlebot). Also, the infection is a bit tricky to remove and if not done properly will keep on regenerating. Basically, pharma hack is an exploit that takes advantage of vulnerabilities in WordPress. The attacker exploits vulnerable WP websites to distribute pharmaceutical content to search engines and the website visitors. These attacks most often target search engines like Google or Bing in an attempt to increase traffic to illegal pharmaceutical businesses.
This hack quietly exploits your highest-ranking and most valuable pages by overriding the title tag and by inserting spam links into the page content. These modified title tag and spam links are only visible to search engines and it is often done via cloaking. In 2018-19, we have seen increased instances of this kind of hack on WordPress sites as compared to 2017.
Lets understand it the other way, There are several drugs like Viagra, Nexium, Cialis which are banned on the internet that means they are restricted from being promoted or sold over the web. Therefore some pharmaceutical companies try out illegal methods of promoting their products. Pharma hack is one of them and has devastating impact on the compromised website.
This web exploit is categorised under blackhat SEO spam and is mostly targeted towards small business websites. Other hacks which come under same category includes: Gibberish Keywords Hack, Japanese Keywords Spam etc.
The below is a cached version of an infected page.
Google SERP results produced by a pharma hack example:
💊 Diagnosing Pharma Hack Spam
What is The Purpose?
Many drugs like Viagra, Nexium, Cialis, are banned which means they are restricted from being promoted on websites. Therefore some pharmaceutical companies try out illegal methods of promoting their products.
Pharma hack causes search engines to return ads for pharmaceutical products along with legitimate listings. The hack can be difficult to detect because it does not affect the displayed pages of the compromised Website or blog. The aim of this hack is to gain valuable links from high-ranking pages.
Because of this behavior, many sites have been compromised for months with those spam keywords which aren’t noticed by anyone.
Diagnosing and finding pharma hack is another important task which needs to be done with proper accuracy and it needs expertise. A quick way to check if your site is compromised is by searching on Google for “inurl:yoursite.com cheap viagra or cheap cialis” or using our free wordpress security scanner.
Why does it take so long to detect?
When we say that the spam links and content isn’t visible to users, we mean that a normal user will see this in the Google search results. The description beneath the link to the website will show something related to the pharmaceutical products from the hacker’s site.
Even if you are the admin of the site and look through the HTML source code, you won’t find the spam links or content. This is because the malicious content is disguised and placed in your WordPress blog’s plugin folders, and in your database.
Since this exploit only targets the highest ranking pages and not all the pages on the site, it becomes more difficult to find.
How To Check If Your Site Is A Victim Of A Pharmaceutical Hack?
Wondering about How To Tell If Your Site is Hacked with The Pharma Hack, Well, this is one of the most important step of removing pharma hack spam from your WordPress website. Go through the below mentioned ways in order to identify the infection.
1..Use a website scanner to tell whether your website is ‘Hacked or Not’
You can use free malware scanners for scanning your website. We have also developed our own tool specifically for this purpose.
2..See what Google sees – Become Googlebot
This compares with how Google identifies itself. When Google visits your website to retrieve your pages it identifies itself using one of the following ‘strings’ of text:
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
You need to use a tool that has its user-agent string set to look like Googlebot’s user agent string.
We recommend the User-Agent Switcher tool .
Now retrieve one or more of the pages of your site and look for anything ‘different’ or out of place.If nothing is immediately apparent – view the source of your pages.
Usually this option is available by right clicking in the page and selecting ‘View source’ from the context sensitive popup menu. If the option isn’t there – try right clicking on a different (empty) part of the page.
In particular check the following areas of the page’s
– check the text between the two tags – look for any words that don’t belong
– look at the text between the quotes following the content= part of the meta description text
By now you have either found something or you haven’t.
One final check is to search this html source code for a select few words that should not ordinarily be found within the page.
- For pharma hack, search for words such as: Viagra, Cialis or Regalis
3…Use Webmaster Tools to see what Google Sees
You can use the ‘Fetch as Googlebot’ option within Google Webmaster Tools. Check the output code after the page is fetched and rendered.
4…Search Google to see if you are already exploited
The ‘site:’ operator is a handy way of telling Google to only show results from specific sites. For best results use
- or, site:yourdomain.com viagra
- For advanced use you could use a group of words within brackets/parentheses
Why Is It Hard To Remove Pharma Hack?
In a pharma hack, the backdoors keep regenerating every time we remove them. Therefore, If the backdoors are regenerating, this might be due to malware that uses cron jobs to reinfect sites, so check the user’s crontab.
If you don’t find any cron job there,the hacker must have injected a backdoor which is leading to the recreation of infection on the website. To Identify the Regenerating Script check out if the file content was adding wp-page.php to legitimate site pages whenever a request was made by Googlebot or Bingbot.
Appending wp-page.php to legitimate requests isn’t the real problem; the actual problem is the regeneration of the file. For those unfamiliar with how themes work, if any include is added in the header file, it keeps loading the wp-page.php file every time the theme will be loaded by the visitors.
The 🦟 hacker injected this line into header.php to make the malicious code execute every time a public website page was requested. This is mainly done to send the spam to search engine crawlers, but it also recreates the wp-page.php as a “delete protection” feature.
💊 How does Pharma hack works?
Basically, the hack consists of two parts—malicious files in the WordPress plugins folder coupled with encrypted code in the WordPress database. The files in the plugins folder contain code that runs the encrypted code stored in the database. Because of this, the pharma hack is dependent upon these rogue files in the plugins folder.
Typically, hack files contain easily-identifiable PHP functions like
base64_decode(), and although the pharma hack is no exception, there’s one major difference. With the pharma hack, these functions are stored in the WordPress database as strings, and they’re encoded backwards! At runtime, a hack file in the plugins folder pulls these strings from the database, flips ’em, and then runs ’em as functions, and that’s how the deed gets done.
Most of the time, malicious content ( in the form of code) is encoded to look like legitimate WordPress files and are injected to the plugin folder.If there are any files other than the default files available with your original WordPress plugin install should be looked at closely, since they could be hack files.
The malicious code sends Google with requests for the list of highest ranking pages on your website. It then stores this information in its database, and targets them when it runs.
The pharma hack has various undetectable WordPress backdoors that let the hacker regain the access to your website:
- Backdoor that allows the attackers to insert files.
- Backdoor inside one (or more) plugins to insert the spam.
- Backdoor inside the database used by the plugins.
If you fix one of the three, but forget about the rest, you’ll most likely be reinfected and the spam will continue to be indexed.
📚 Also Read – WordPress Malware Redirect Hack – How To Detect & Fix It
Backdoor Inserted into Files
Generally, attackers hunt for vulnerable WordPress installations i.e sites using an old version of WordPress, vulnerable plugins, and themes, security loopholes or hosting multiple websites on the same account using free wordpress scanners. This leads to the very first step to inject the backdoors into a compromised site.
When the backdoor is added, it is not immediately executed. Sometimes it stays for months without even getting called. The common places for these backdoors are:
wp-content/uploads/.*php (random PHP name file) wp-includes/images/smilies/icon_smile_old.php.xl wp-includes/wp-db-class.php wp-includes/images/wp-img.php
In the pharma attack, these files have backdoor in the form of following piece of code:
< ? php $XZKsyG='as';$RqoaUO='e';$ygDOEJ=$XZKsyG.'s'.$RqoaUO.'r'.'t';$joEDdb ='b'.$XZKsyG.$RqoaUO.(64).'_'.'d'.$RqoaUO.'c'.'o'.'d'.$RqoaUO;@$ygDOEJ(@$j oEDdb('ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY... (long long string)..
However, it is still calling eval(base64_decode but it is using variables that makes it hard to detect. In fact, none of the WordPress security plugins are able to find it. Therefore, look for such a string in your WordPress folders:
If you do an inspection of the code, you will see that it scans for the wp-config.php file and gets the database information. Hence, it will act as a remote shell and retrieves a lot of information about the system. That’s the first thing you have to remove before you do anything else.
If you don’t, you may allow hackers to reinfect your site via a backdoor or unpatched security hole. Reinfection may happen within seconds or it may take days before the malware returns, causing another stressful situation.
As always, we recommend you to update your WordPress instance to the latest version. This goes for all of your plugins, themes, etc. WordPress is typically very secure, it’s when you’re running old versions and out of date plugins/themes that run into trouble.
📚 Also Read – How to Backup WordPress Database Manually?
For WordPress site owners, there are several reliable free WordPress security plugins that monitor the integrity of core files and theme files. But if you find yourself in a position where you feel attackers are injecting spam in your web pages or SERPs, know that we’re here to help.☎️
Backdoor Inside Plugins or themes
Now the next step of the attack is targeting compromised plugins and themes, that’s why WordPress Theme Security is very much important.. After successfully creating a backdoor into the system, a file will be created inside one of the existing plugins. Example:
akismet/wp-akismet.php akismet/db-akismet.php wp-pagenavi/db-pagenavi.php wp-pagenavi/class-pagenavi.php podpress/ext-podpess.php tweetmeme/ext-tweetmeme.php excerpt-editor/db-editor.php akismet/.akismet.cache.php akismet/.akismet.bak.php tweetmeme/.tweetmem.old.php
They will target one or more old plugins using names like
wp-[plugin].php, db-[plugin].php, ext-[plugin].php, etc.
Look for for any plugin file with the wp_class_support string on it.
$ grep -r "wp_class_support" ./wp-content/plugins
Make sure you remove all those files and if required, remove all such plugins. To be 100% sure your plugins are clean, I would recommend removing all of them and reinstall again. (not possible for all sites, but this is probably the most secure way of doing it). Always keep them updated. Also Read – How To Scan & Detect Malware in WordPress Themes
Backdoor Inside the Database
This is the last step, and equally important. This is where the spam itself is hidden. They have been using the wp_options table with these names in the option_name:
wp-options -> class_generic_support wp-options -> widget_generic_support wp-options -> wp_check_hash wp-options -> rss_7988287cd8f4f531c6b94fbdbc4e1caf wp-options -> rss_d77ee8bfba87fa91cd91469a5ba5abea wp-options -> rss_552afe0001e673901a9f2caebdd3141d
So, you need to clean these SQL queries from your database:
delete from wp_options where option_name = 'class_generic_support'; delete from wp_options where option_name = 'widget_generic_support'; delete from wp_options where option_name = 'fwp'; delete from wp_options where option_name = 'wp_check_hash'; delete from wp_options where option_name = 'ftp_credentials'; delete from wp_options where option_name = 'rss_7988287cd8f4f531c6b94fbdbc4e1caf'; delete from wp_options where option_name = 'rss_d77ee8bfba87fa91cd91469a5ba5abea'; delete from wp_options where option_name = 'rss_552afe0001e673901a9f2caebdd3141d';
💊 How To Remove WordPress Pharma Hack
Go through the steps given below in order to cleanse your site and ‘Remove pharma hack spam from wordpress website’.
There are two ways to clean pharma hack files from your WordPress website:
- Manual Clean Up
- Removing File from the Plugin Directory
- Removing Database Entries.
- Security Service
While manually cleaning files, you are making changes to your WordPress files. Unless you are a skilled developer, we’d urge you don’t choose manual removal of this hack. But if you have an experience with handling WordPress files and database, follow this procedure:
The manual WordPress pharma hack cleanup include two basic steps:
- Removing File from the Plugin Directory
- Removing Database Entries.
Removing File from the Plugin Directory:
Firstly login to your web host and go to a page called cPanel. There you should find an option for File Manager. Select the File Manager.
- You should find a folder called public_html on the left side of the File Manager. When you select this folder, a dropdown will open with three main files of your WordPress:
- Among these three files, choose wp-content. On selecting iw will display a dropdown list of internal files. Here you will find the plugins folder.,
This folder includes files of all the plugins installed in your WordPress site. The reason we recommend this particular folder to start with is because the plugins are the outdated plugins are the easiest targets to inject compromised files and thus hack a website.
- To identify malicious files, check out the default files present in each plugin so that you can easily identify the suspicious files. To know the default files, go to the cPanel. Click on File Manager. A popup will appear where you’ll have to select ‘Show Hidden Files.’
- If you find any file that is not a default file, delete those malicious files. With this we complete the first step. Now, let’s move to the second step.
2. Removing The Entries From Database:
Now, again go back to the cPanel. There you should find an option for phpMyAdmin. Open that folder.
In the database, select the wp_options table. It will allow you to browse through the table content. In the wp_options table, you’ll need to search for the following database entries:
class_generic_support wp_check_hash ftp_credentials widget_generic_support fwp rss_% (Delete all matches to rss_ expect, rss_excerpt_length, and rss_language)
Delete all those entries using this piece of code. And that’s it. Your site is now hack free. Before this, make sure you have taken full WordPress database backup and must know how to export WordPress database.
Take Help from a Security Service
If you are unaware of how to handles wordpress files, using a security service is ideal. At Wp Hacked help you’d have to raise a ticket to clean your hacker site. Wp Hacked help is one of the best WordPress security services in the market that allows you to clean your site at the click of a button. Therefore, if you find yourself in a position where you feel attackers are injecting spam in your web pages or SERPs, just write to us.
Post Clean Up Procedure:
Never skip these post pharma hack cleanup steps in order to reduce the risk of a reinfection and ensure that your website remains clean:
Enable the website Firewall – WAF:
Enabling a valuable network security measure places a set of rules on incoming and outgoing traffic in order to protect networks, servers, websites, and individual computers. This website firewall acts as a wall between a trusted source (say, the server your WordPress website is hosted on) and an untrusted source (the internet) in which only trusted data is allowed entry.
Keep Updating Your Website:
If you are using WordPress, keep updating it to the latest version. Why? Because out-of-date software is the leading cause of infections. This also includes your plugins, themes, and any other extension type.
Change your passwords:
It is prudent to change the passwords related to your website: FTP, SFTP, cPanel, Plesk, WP-admin, etc. They could have been compromised and we do not want you to be reinfected because the attackers can still come back in through them. We recommend that you use a Password Manager, so you do not have to remember them all in your head.
Update your database password:
Also, update the password of your database. Keep a strong, unique and hard-to-guess password. Make sure you don’t use your name, spouse name or date of birth as the password for an integral part of your website. If you’re not familiar with handling changes in your database and configuration files, read our article.
Run an antivirus on your system:
In a lot of cases, we see that websites are compromised due to desktop malware that steals credentials. It’s why we always ask you take a minute to run an antivirus product.
Backup Your Visit:
After the site is clean and secure, a very good practice is to do regular backups. It reduces the chances of damage or risk of data loss to your website. Make sure to go through this WordPress site maintenance checklist to ensure smooth sailing.