Diagnosing a Pharma Hack

wordpress-bloggingToday’s post is not about filmmaking, but I hope it will be of use to other WordPress bloggers who have been the victims of so-called Pharma Hacking.

A few weeks ago I started to notice strange things happening on this site.

The first thing was that I couldn’t log in. At the top of the login screen there would be an error message similar to this one:

Warning: Cannot modify header information – headers already sent by (output started at /home/trustjho/public_html/blog/wp-content/themes/adspress/functions.php:74) in /home/trustjho/public_html/blog/wp-login.php on line 302

I googled the message and found various suggested solutions, but in the end the only one that worked was to reinstall WordPress.

The next issue was that the media gallery wouldn’t load. When I tried to upload a new image for a post it wouldn’t work, and I couldn’t see any of the images I’d uploaded previously. I tried all the usual WordPress troubleshooting – deactivating plug-ins and themes, which did nothing, and again reinstalling the core files. After the reinstall the problem went away for a little while, but soon came back.

The third thing I noticed was line breaks appearing after links in many of my posts. I checked the html code of the posts, but couldn’t see any reason for this behaviour.

Fourthly, and most worryingly, I started coming across a couple of weird sentences at the bottom of several blog posts – sentences which I didn’t write. It was always the same:

“Here what I remember even at that time when I sleep it Cialis Dosage which has to be fixed and can’t be. Cialis dose it is an important element of reception. Which it is necessary to remember.”

Both instances of the word Cialis were hyperlinks to a site selling the drug.

After hours of googling I figured out that I had been Pharma Hacked. Pharma Hacking involves uploading rogue code to your WordPress site which then inserts text and links into your posts. It also inserts javascript into the posts which renders the text and links invisible to human viewers, while still being visible to search engines. The result is that the linked drug site rises in search engine rankings because all these invisible links to it have been maliciously inserted into unsuspecting WordPress sites. Because the text is invisible, readers of the victim’s site and even the owner of the site may be completely unaware that it has been hacked.

When I looked at the infected posts in the ‘text’ view mode (as opposed to ‘visual’) I could see two additions, one at the start of the post:

<script type=”text/javascript”>// <![CDATA[
function get_style6610 () { return “none”; } function end6610_ () { document.getElementById(‘database6610’).style.display = get_style6610(); }
// ]]></script>

And one at the end:

<p id=”database6610″>Here what I remember even at that time when I sleep it <a href=”http://cialisdosage.biz/index.html”>Cialis Dosage</a> which has to be fixed and can’t be. <a href=”http://cialisdosage.biz/index.html”>Cialis dose</a> it is an important element of reception. Which it is necessary to remember.</p>
<script type=”text/javascript”>// <![CDATA[
end6610_();
// ]]></script>

Together the two pieces of javascript ensured that the text and link were not displayed. I’m still not sure why I was able to see the text on some of my posts when viewing my site’s front end, but it was lucky that I could otherwise I might never have diagnosed the problem.

After some more googling I downloaded Wordfence, a plug-in that scans your site for malicious code. Wordfence identified around eight or ten malicious files, which I immediately deleted. Straight away the media gallery started working again and the rogue line breaks after links disappeared.

Unfortunately Wordfence isn’t able to remove the text from your posts. I googled around for something that could, and in the end used a plug-in called Search and Replace. This was able to delete all instances of the sentence “Here what I remember….” and its hyperlinks, which turned out to be in over 900 of my 1,100 blog posts. I can’t remove the javascript, because the ID number in it (6610 in the example above) changes with every post, and I can’t find a search and replace plug-in that can handle a wildcard like that. However, without the text and links the javascript does nothing.

I still don’t know how my site got infected in the first place, but apparently the most likely route would have been through one of the old, out-dated plug-ins I was running. Evidently it is very important to regularly update not just WordPress but all of your plug-ins to make sure there are no security loopholes. And I will be performing regular Wordfence scans from now on to check for anything slipping through again.

Diagnosing a Pharma Hack