Pharma hack / black hat SEO

  • mniggemann

    (@mniggemann)


    5 years ago

    Hey there,
    we’re having a massive problem with a pharma hack on our site, see link above, there’s tons of spam URLs.

    What we know about the maechanics:
    It’s diifcult. I would expect the google indexed pages to show manipulated content, at least when accessing them with a Google bot user agent. However, they don’t contain any visible hacked content, nothing visible in source code as well.
    However, when there are cached versions of pages available at Google, they will be referrd to pages at lloydspharmacy com.
    All links follow the same syntax, /?work=spammyStuff

    There are several descriptions available online of wordpress pharmacy hacks, so we searched the code for typical patterns, for eval(* and base64*, for atypical filenames in plugin folders (.cache.php, ext-*.php,), for patterns in the Basel theme (inserting wp-page.php) and in the database (class_generic_support, widget_generic_support, wp_check_hash, rss_*). No matches.

    We also asked our provider for a scan and used the Sucuri plugin. No matches.

    I’m at a loss here. Any ideas?

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter mniggemann

    (@mniggemann)

    Hi Steve, thanx, but as it may (or may not) be obvious from my post I already followed the standard process of identifying and cleaning up a hack. Though, in this particular case, to no avail.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Did you remove and replace *all of the files* in the site’s root, wp-admin, and wp-includes? And delete and replace all of the plugins and your theme?

    If you’re still getting the redirects after that, then there may be stuff in your database.

    Thread Starter mniggemann

    (@mniggemann)

    One thing I did today to give us time finding the malware code in the database was to disallow the /?work=* URLs in .htaccess, like this:

    RewriteCond %{QUERY_STRING} ^work=(.*)$
    RewriteRule ^(.*)$ /$1? [R=301,L]

    All spam URLs now redirect to root.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Pharma hack / black hat SEO’ is closed to new replies.

Tags