My website was the victim of a pharma hack. Whenever the site was loaded through a search engine it would take you to an online pharmacy (viagra etc).

I managed to remove all the bad files using wordfence but unfortunately there is still an issue – when you load from search engines it does not take to the site, just a 404 error saying it cant find one of the [bad] files removed.

To see for yourself type in the exact domain name into google (all the other pages seem to have been removed from the SERPS).

Can anyone help?

The Website above was one of many (same provider) hacked with the “Pharma Hack” (https://www.malcare.com/blog/what-is-pharma-hack-how-to-clean-it/)

On all pages and posts you could see a JavaScript at the beginning and at the end and in the middle a french text selling viagra.

How is it possible, that the website was hacked even I use Wodfence? Wordfence showed me, that files changed when I logged in but did not block the change. WHY?

Kind regards, Brisch

WordPress Version: 5.2.1
Theme: Mesmerize
Plugins: ALL are deactivated

Issue 1:
403 Forbidden Forbidden You don’t have permission to access /wp-admin/admin-ajax.php on this server.

I get this message any time I try to update or delete a plugin. It also shows this message on the Dashboard tab of the Admin panel.

Things I’ve tried:
1. Deactivating all plugins
2. Via FTP I have verified admin-ajax.php permission code is set to 640
3. Via FTP I have verified all WP folder permissions are set to 755
4. Installed WP Super Cache, there are no cached contents showing to delete
5. Cleared theme cache

Is there anything I should be checking at the host level?

Issue 2:
When clicking on my site from a search engine it redirects to a pharma scam site.

Things I’ve tried to fix this:
1. Inspected htaccess which looks normal. I tried deleting it and generating a new file but a new file was never created. I’ve compared my file with other “normal” ones online and they look the same.
2. Inspected all *.php files (index, header, footer, etc.). I know it is common to encode PHP in these files to facilitate the redirect but all of mine look normal.

I’ve seen vague mention of these redirects working via scripts or an infected database but I haven’t found much information on how to troubleshoot those cases.

Thanks!

I really need some help with fixing a pharma-hack on a website I administrate, the website in question is;

https://www.hythegardenlandscapes.co.uk

The site is hosted on WordPress via Godaddy. It appears it has been hacked and links through google search are redirecting people to a pharmacy website. I have carried out a scan via quttera and it has returned some results which seem to show malicious code is present. I have included one of the results from qurrera below. I am a bit of a novice in this area but can someone please explain how I can go in through the WordPress admin console in Godaddy to remove and fix it?

/commercial/#
Severity: Potentially Suspicious
Reason: Detected hidden potentially suspicious instructions
Details: Detected hidden CSS declaration
Offset: 475
Threat dump: View code
Threat dump MD5: 0306D7DEE49FD43D905247FA27367794
File size[byte]: 163668
File type: ASCII
Page/File MD5: D45BD27575203B7D034477CD347CF873
Scan duration[sec]: 0.888

CODE
[[<style> body { font: 11px Arial, Helvetica, sans-serif; margin: 0; color: #666; min-width: 1000px; background: #fff; } img { border: none; } a { color: #666; text-decoration: underline; } a:hover { text-decoration: none; } form { margin: 0; padding: 0; } #wrapper { margin: 0 auto; } /*header*/ #header { background: url(https://refillmyhealth.com/themes/theme-red/img/bg-header.jpg) no-repeat 50% 0; height: 448px; } .header-holder { width: 950px; padding: 0 25px; margin: 0 auto; } .header-top{ min-height: 121px; } .header-top-size:after { content: ”; display: block; clear: both; } .logo { float: left; width: 225px; height: 108px; margin: 6px 0 0 -5px; text-indent: -9999px; background: url(https://refillmyhealth.com/themes/theme-red/img/logo.png) no-repeat; } .logo a { display: block; height: 100%; } .shopping-cart

We recently got hit by a variant of the Pharma hack that just goes through the sites and includes outbound links to Cialis and Viagra sites etc.

The most troubling part is, on inspection, all 10 of those hacked sites had a new Administrative user named ‘user’ and obviously all administrative rights.

My question is not how they got in (we will have to investigate that further), but how did they spread from their entry point to sites that were locked down pretty well?

I am assuming they found a way to write in a new user, but how did they then write in a new user into another domain space? More importantly, is there anything we can do on the server level to create a better barrier between databases on a shared environment?

Lisa

https://www.ads-software.com/plugins/wordfence/

While other descriptions of this hack have said that it is not visible to the normal visitor, this was visible in the form of words randomly added within the body of our pages such as “viagra,” “cialis,” “ambulance,” “get,” and “prostate” all of which were links to various pharmaceutical purchase websites.

We updated to 4.4.2, updated all of our plugins, and cleaned up the offending code, only to find the same issues back again within a week, and before we could create a backup.

I’ve seen some suggesting that it could come back due to malicious files placed into the Plugins folders, so we checked for that but did not see anything out of the ordinary.

Any advice as to what else we should check on to ensure this does not happen again would be greatly appreciated.

Thank you for any suggestions.

I had a pharma hack that replaced text with spam and links, and only displayed to non-logged-in users. I was helped by the Wordfence scan which showed changes to wp-includes/default-constants.php and wp-includes/post-template.php which were changed, and pointed to inserted “image” files that were not images in wp-admin/images, but executable encoding. The files were named strlistfile.gif, maplistfile.gif, include.png, tempthumbs.png, loginimage.png, iconscaches.png, graphicspack.png, previewpics.gif. The extraneous files were all dated Feb. 10.

I was surprised that Wordfence did not identify the added image files in the scan, which should have showed up as extraneous to the WordPress core files, as they were in wp-admin/images.

https://www.ads-software.com/plugins/wordfence/