Fixing the WordPress Pharma Hack (Embedded Links Variant)

I’ve just spent the last 9 hours recovering this blog from the Pharma hack. I was hit by a far more vicious variant- instead of just making the results visible to search engines, it embedded Viagra and Cialis links in every single blog post. Worse, it embedded it in HTML- arbitrarily, breaking HTML img tags, and Youtube embeds.

There are 2 definitive blog posts from people who experienced the original variant of the hack, which you should definitely read:

1. Sucuri: very detailed explanation as well as solution to the problem

2. Pearsonified: less detailed, but has pictures which will help you (especially if you’re a CPanel user)

3. Kikolani: a variant of the original Pharma, and his way of fixing it was closer to mine

I’m posting my own experience fixing it here, just in case it helps someone out to know they’re not alone with the new variant.

Aside: How this thing works (super simplified):

The Pharma script basically finds a way onto your WordPress installation (possibly through unprotected folders such as the /uploads folder), hiding .php scripts all over the place.

These scripts execute to access your wp-config.php file to get your mySQL database user and password, and change your database (which holds your posts, etc).

1. Upgrade WordPress

Don’t go for the automatic upgrade- go the manual route, where you delete your entire wp-admin and wp-includes folders, and re-upload all files.

2. Delete all plugins and unused themes

Unless you’ve got customized plugins or themes, deleting all plugins and then re-downloading and re-installing them works faster than manually scanning directories and code. You’ll still miss something

3. Check your ENTIRE wp-content folder

While the previous variants of the Pharma hack had attacked the plugins folder, I found the hacked files in my wp-content/uploads folder, which I had stupidly left at 0777 permissions (where anyone can write a file to it). They had put .php files in every single subfolder, which when called accessed the /wp-config.php file to get my mySQL username and password.

Go through EVERY SINGLE directory in the /wp-content folder, change its permissions to 0744 (where nobody can write/execute), and delete every .php file in the /uploads folder. If you followed steps 1 and 2 above, you shouldn’t have any files in plugins, and

Also check your .htaccess files- the hacker had put in an entry like the following:

“ErrorDocument 404 for the uploads/160705.php”

You should go through the .htaccess files to make sure those are gone as well (just in case).

Also, I found that the user for the folders that were compromised (i.e. /uploads) had been changed to “nobody”. It might have been a coincidence, or it might have been the hacker trying to make life difficult for anyone who was not the sudo (super user) to change permissions on hacked folders. I had to contact my host to get those changed.

4. Clean up database

The Pharma hack inserts malicious code into the wordpress database. Personified’s article describes how to fix it really well, and I won’t try to re-invent the wheel. Read it.

For extra protection, I changed the password/user on my mySQL database, just in case they had cached login information somewhere.

5. Checking every other .php file

Especially the .wp-config file, and the .php files in your theme directory. It didn’t happen to me, but I would guess that someone could put in malicious code in there.

6. Going through EVERY blog entry, deleting the malicious links

It’s absolutely retarded, and I wish there was a faster way to do it. I tried writing something in Python, but it worked terribly because a lot of the links were placed arbitrarily in HTML and had damaged many img tags. You also have to identify all possibilities, which varied widely. In the end, I had to manually go through every entry, and delete the offending links.

I’m guessing as this spreads, someone will eventually come up with a script to do this. But, at least for me, it was faster for me to just go through every entry and clear out links, repairing img tags along the way.

7. Re-install all plugins, themes, check whether images work

As I’ve got class tomorrow, and a problem set to rush I’ve had no time to look into the broken images in almost all the posts from previous years. My initial guess is that the permissions have been set at the wrong level, if in which case would mean an easy fix.

8. Harden WordPress

Take no chances again- or prisoners. I’ll be doing most of the stuff to harden wordpress as soon as possible.

This hack is heinous, and has (as of now) taken almost 7 hours of my time to figure out, fix, and solve. I really, really, really hope it works. It’s a stupid, terrible waste of time- but the hack sure was ingenious, if you really study how he/she did it.

If only hackers spent their time doing good, instead of bad, the world would be a much better place- if only!