Pharma Hack

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

James,

Thanks for the reply and links (which I have read), but I assure you I am calm, if a bit tired and frustrated.

I have done everything I am supposed to do to rid the site of the Pharma Hack, save one. I can’t find the string in the options table. It is there somewhere.

I have always been fastidious about keeping the core, themes and plugins updated. I have changed passwords for everything. I have contacted GoDaddy about this (good luck was their reply, more or less and I have seen that sites on GoDaddy were exposed to some vulnerabilities in my research) and spent a lot of time finding the cursed script looking in all of the suggested places. Found a neat little script that located it for me.

My one lone task remaining is finging where this thing’s entry is in the database. That I cannot locate. Suggest search terms I have read to tfing this in the DB were all negative. I wondered if anyone else has/had a similar issue and solved it.

Any thoughts about finding it in the database will be welcome.

I haven’t had to clear one of these up in years, so if it’s not covered by the guide, I’m afraid I’m not sure where to look next.

There are several paid WordPress services that specialize in hack cleanup. I have used https://sucuri.net/ before with great success.

There’s also https://jobs.wordpress.net/ or https://directory.codepoet.com/ where you can hire someone with expertise in this (do not accept any hire offers posted to these forums).

James,thanks for the reply.

The hack is covered by the guide. I understand the steps to take. I have found removed the PHP script. It’s just finding what the strings are related to this hack in the database. If I can find those, life is good. I am close and I want to finish it.

What I find interesting is that I routinely checked with Surcri to look for malware. In researching this thing, they admit it’s something their security software can’t find. That’s not real comforting that this hack has been going on for years, coming up to a decade, and finding it still eludes malware security software. The article I referenced from Surcuri was written several years ago, but I would assume that it would be updated if things changed. They have not, apparently.

It probably eludes their tool because their tool can’t access your database, it can only scan the front-facing portion of your site. ??

James,

Good point, but strrev in a line of code is a very red flag, I would think. From what I have read (my php skills are weak at best) it’s used for almost nothing else except for mischief.

I did learn that base64_decode is legitimately used in a lot of themes and plugins, but eval is another obvious red flag.

Then again, what do I know?

Thanks again for the response.

strrev is legitimate, it just reverses a string, not really a sign of a compromise: https://php.net/manual/en/function.strrev.php