Pharma Hack

Hey @brisch,

Wordfence protects against a wide variety of attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system is hard to say. Some plugins contain vulnerabilities that are so bad that Wordfence can’t protect against them. The same goes for servers.

Regarding how they gained entry, here are some possible scenarios:

Are there other sites hosted on the same hosting account? If so, they could have been infected and spread the infection to this site.

You may be using a plugin or theme with a vulnerability that is so severe that we cannot protect against it.

Your wp-config.php file is readable to the hacker, either directly via your account, via a vulnerable plugin or another hacked site on the same server.

The hosting accounts on the server are not adequately isolated on the server, so the hacker has access to your database via another user’s database.

The server software has vulnerabilities that allow the hacker to get root access
You were actually hacked many months ago, but the backdoor was not activated until now.

Here’s a guide that may help you clean the site. However, if you’re not comfortable with this or the site becomes reinfected I’d suggest reaching out to a professional hack repair service to have the site professionally cleaned and patched.

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

Thanks,

Gerroald

Same here, wordfence didn’t block and till now I couldn’t find any files with malicious code, only altered the database entries in wp_post. Wordfence recognised a SEO Hack in the caching files from WP_Total_Cache, but nowhere else.

the Javascript code at the beginning of the content looks like (function names are different in each entry):

<script type=”text/javascript”> function style_array_chunk73() { return “none” } function end73_() { document.getElementById(”rzd73”).style.display = style_array_chunk73() } </script>

The french spam is in div tags with an title or an id

at the end of the content the script looks like this:

<script type=”text/javascript”> end73_() </script>

Didn’t find anything via google about this.

Seems that the htaccess file is affected, there are several links in the french text to “harmless” websites, which are forwarded to https://secure-rx-market.net/product/viagra.html?track=sol

had an issue with my htaccess-File but unfortunately changed it via Permalink-Update, so I can’t check this.

Hi amazonsk, I did this against the virus and it worked so far:
I use “All in one WP migration” and I had a backup from 3 week before. I used this and reinstalled everything. Until now I can’t see any infection.

But the provider sent an email yesterday that over 100 websites (WordPress, Joomla, Typo3) have been infected and he will do an backup and reinstall the websites for free. But the provides could not tell me – so far – where the infection comes from.

What I learned: do backups and use them. Only thing: I dad to buy the backup because it is only free until 512MB. Good luck!

Hi Brisch,
i have the same problem.
Did you find find out how it’s possible?
———-
Hallo,
ich habe das selbe Problem.
Hast du die Ursache herausgefunden?

Nachtrag:
Ich bin beim selben Hoster. Wahrscheinlich lag es daran.

lg
Mike2019

• This reply was modified 5 years, 2 months ago by mike2019.

Lieber Mike,

ich habe folgendes herausgefunden: Es betraf Websites auf Basis von WordPress, Joomla und Tyo3. Im Web stand ein Artikel, dass es auch Drupal betreffen kann.

Der übliche Webspace bei einem Provider ist ja ein “Shared Host” und dieser Virus kann irgendwo einen Eingang gefunden haben und ist dann über den Server zu anderen Domains und Websites gekommen.

Bei der Website habe ich das Problem folgenderma?en gel?st: Ich hatte eine Sicherung von “All in One WP Migration” und habe (weil Website 2GB) die Vollversion gekauft und eine frühere Version der Website wieder hergestellt.

Edis selbst hat ja angeboten gratis eine Sicherungskopie der Website vom 6.9. gratis wieder herzustellen. Aber erst Tage sp?ter, da hatte ich das Plugin schon gekauft.

Es ist aus meiner Sicht der Provider. Edis. der seien Server schlecht abgesichert hat. Und auch nciht das erste mal, ich wurde als Webdesignerin engagiert weil Edis schon im Februar ein Problem hatte und die Website (damals Typo3) gehacked wurde und es nciht m?glich war sie wieder herzustellen.

Hilft die Antwort? LG Brisch

Es hat (laut Edis) hunderte Websites am dortigen Server betroffen.

Hallo,
ja, deine Antwort hilft mir sehr.
Ich betreibe 5 Webseiten. 4 mit WordPress davon 3 in Wien, 1 in Deutschland.
Die 3 WordPress Seiten in Wien waren alle betroffen. Ich hatte zuerst das Theme oder ein Plugin in Verdacht und habe den php-Code und die Datenbank durchsucht, aber nichts gefunden.
Ich habe den Schadcode h?ndisch gel?scht und hoffe, dass sowas nicht mehr vorkommt.

LG
Mike

Hi,

We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

Please feel free to open another thread if you’re still having issues.

Thanks,

Gerroald

Hey @mike2019, did the malicious code reappear?