Help with pharma hack

  • Hi All,

    Hate to be that guy but I seem to be having a reoccurring inject of pharma pages that only appear through Google bot. The pages appear in the search bar of WooCommerce as a search which is then indexed by Google.

    Things I’ve tried that hasn’t seem to removed the backdoor/pages:
    – Scanned on Sucuri
    – Installed anti-malware and Wordfence plugins
    – Changed mysql password
    – Removed inactive plugins/themes
    – Re-installed in-use plugins/theme with fresh installations
    – Removed the contents of wp-includes and wp-admin with a fresh install
    – Downloaded /uploads folder and removed any non-standard files (php, js, etc)
    – No suspicious cron jobs
    – Located all base64_decode and searched for files using the string “wp_class_support”
    – Removed any record of class_generic_support, widget_generic_support, wp_check_hash, fwp, ftp_credentials in mysql using phpmyadmin

    One thing I’ve noticed in my Apache log is a reoccurring event like the below. Not sure if anyone can make sense of what’s making this call?

    Fri Jan 15 04:53:36.806995 2021] [php7:notice] [pid 3015] [client 54.151.149.147:64978] WordPress database error Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8mb4_unicode_520_ci,COERCIBLE) for operation 'like' for query SELECT SQL_CALC_FOUND_ROWS aWp204435aDw_posts.ID FROM aWp204435aDw_posts WHERE 1=1 AND ( \n aWp204435aDw_posts.ID NOT IN (\n\t\t\t\tSELECT object_id\n\t\t\t\tFROM aWp204435aDw_term_relationships\n\t\t\t\tWHERE term_taxonomy_id IN (1385)\n\t\t\t)\n) AND (((aWp204435aDw_posts.post_title LIKE '%Mestinon Ret. 180 Mg Nebenwirkungen Mestinon 30 Mg \xe2\x8f\xb0\xe2\x96\xab\xf0\x9f\x8e\x9a\xef\xb8\x8f Best online Pharma: \xf0\x9f\x8e\x81 www.FastPharmacy.store \xf0\x9f\x8e\x81 - Mestinon 60 Mg Online \xf0\x9f\x8e\x9a\xef\xb8\x8f\xe2\x96\xab\xe2\x8f\xb0 Cost%') OR (aWp204435aDw_posts.post_excerpt LIKE '%Mestinon Ret. 180 Mg Nebenwirkungen Mestinon 30 Mg \xe2\x8f\xb0\xe2\x96\xab\xf0\x9f\x8e\x9a\xef\xb8\x8f Best online Pharma: \xf0\x9f\x8e\x81 www.FastPharmacy.store \xf0\x9f\x8e\x81 - Mestinon 60 Mg Online \xf0\x9f\x8e\x9a\xef\xb8\x8f\xe2\x96\xab\xe2\x8f\xb0 Cost%') OR (aWp204435aDw_posts.post_content LIKE '%Mestinon Ret. 180 Mg Nebenwirkungen Mestinon 30 Mg \xe2\x8f\xb0\xe2\x96\xab\xf0\x9f\x8e\x9a\xef\xb8\x8f Best online Pharma: \xf0\x9f\x8e\x81 www.FastPharmacy.store \xf0\x9f\x8e\x81 - Mestinon 60 Mg Online \xf0\x9f\x8e\x9a\xef\xb8\x8f\xe2\x96\xab\xe2\x8f\xb0 Cost%'))) AND (aWp204435aDw_posts.post_password = '') AND aWp204435aDw_posts.post_type = 'product' AND (aWp204435aDw_posts.post_status = 'publish') GROUP BY aWp204435aDw_posts.ID ORDER BY (CASE WHEN aWp204435aDw_posts.post_title LIKE '%Mestinon Ret. 180 Mg Nebenwirkungen Mestinon 30 Mg \xe2\x8f\xb0\xe2\x96\xab\xf0\x9f\x8e\x9a\xef\xb8\x8f Best online Pharma: \xf0\x9f\x8e\x81 www.FastPharmacy.store \xf0\x9f\x8e\x81 - Mestinon 60 Mg Online \xf0\x9f\x8e\x9a\xef\xb8\x8f\xe2\x96\xab\xe2\x8f\xb0 Cost%' THEN 2 ELSE 6 END), aWp204435aDw_posts.post_date DESC LIMIT 0, 12 made by require('wp-blog-header.php'), wp, WP->main, WP->query_posts, WP_Query->query, WP_Query->get_posts

    Would anyone be able to recommend other avenues to explore?

    Any help greatly appreciated!

    • This topic was modified 4 years, 1 month ago by alexwise.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator t-p

    (@t-p)

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    Thread Starter alexwise

    (@alexwise)

    Thanks t-p. Hoping I can do it myself but might be a last resort.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Help with pharma hack’ is closed to new replies.