911 Hack Removal

Pharma Hack WordPress and Drupal: How to Fix Google Viagra Hack and Spam Results

Updated on: September 3, 2020

Pharma Hack WordPress and Drupal: How to Fix Google Viagra Hack and Spam Results

WordPress and Drupal are two of the most popular CMSs used to create websites. However, their popularity has made them targets for hackers and SEO spammers. Hackers continuously try to manipulate search indexes to include undeserving content on prominent search positions. This Black Hat SEO technique is also dubbed as ‘WordPress Pharma hack or SEO Spam‘.

Why do they do this? The answer is simple. Online searches are a major source of valuable referrals, and SEO hacks are the easiest way to achieve this without putting in the necessary work. It secures hackers a legit place in the SERP. A recent such attack, “Pharma Hack” or “Pharma SEO Spam” has come to light, and was found to be one of the most common Black Hat SEO techniques.

This attack redirects Drupal or WordPress Pharma hacked websites to pages that display advertisements selling Viagra and Cialis. Sometimes there can be an infection of other sorts of pharma products too. However, Viagra and Cialis are the most common.

In one of the recent WordPress Pharma hacks, we even see a sophisticated version of the hack. In this version, the hackers tailored the Google search results with your website’s name in the title. This makes people believe that your website is indeed about pharma products.

WordPress Pharma Hack - Viagara links on my search results.
An example of the sophisticated version of the Pharma attack in use
WordPress Viagra pharma hack

How to Find a Drupal or WordPress Pharma Hacked Website

SEO spam is difficult to detect because it is not visible to the webmasters. Spammers do everything to hide their work, following practices known as ‘cloaking.’ However, there are ways you can check whether your website is infected or not. Read on to find out how you can find the Drupal or WordPress pharma hack:

Check with Google Search

A list of affected websites can be displayed by a Google search with keywords like viagra wp-page. But, as a result of the webmaster policies of Google, the affected websites are not visible on the first page. So, you’ll have to scroll till page 3 or 4. If your website appears in the search, it means that you are a victim of the Drupal or WordPress Pharma Hack or other Black Hat SEO Spam.

This list not only includes infected websites but also displays fake pages. Clicking on such pages might redirect you to other pages or load the content on the same page as a result of infection.

To check which pages of your website is infected with viagra SEO spam. Add the keyword ‘viagra‘ with your domain name in google search i.e. viagra mydomain.com. Sometimes only a few pages on your website are infected, and those are not visible to you. This search will bring out those infected pages. In case they redirect to websites selling Viagra and Cialis, you are infected with SEO spam. Sometimes rather than redirecting, the content is loaded on the same page as a result of infection.

SEO pharma Drupal scam
Pharma Hack: Google search for ‘viagra’ and ‘wp-page

Check results as Google Bot

As stated, these spam pages are not visible on the search engine but certain user agents, like Googlebot, can see them. In order to view what the Googlebot see, you can use a browser User-Agent Switcher. You can install one for Chrome or Firefox.

  1. Install your favourite User-Agent Switcher add-on
  2. Navigate to the infected webpage
  3. Edit the User-Agent string to any of the ones given below:
    a) Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    b) Googlebot/2.1 (+http://www.google.com/bot.html)
  4. Right-click on the page and view the page source. This will enable you to see the redirect.

Note: Keeping the User-Agent Switcher active for long could get you blocked or blacklisted from websites that maintain proper security because you will appear as Googlebot to them.

Anatomy of the Drupal and WordPress Pharma Hack

Occurrence

To conduct a Drupal or WordPress pharma hack, the attacker first exploits a known vulnerability or a zero-day exploit. Here is an exhaustive list of things that can go wrong in such a case. To simplify, a few of the most common ones are:

  1. SQL injections or XSS occur because of faulty coding standards. It’s a good idea to keep a tab on these two.
  2. Weak account or FTP passwords are the second major cause. Recently, the GitHub repository of Linux Gen, too, was hacked as a result of weak credentials.
  3. Most of the time, content listing and error display is enabled. As a result of this, crucial files are openly readable on the net.
  4. Using unpatched or outdated plugins is one of the major causes of WordPress and Drupal hacks. Stay updated!

Persistence

Drupal ore WordPress pharma hacks work by altering the contents of the root directory. Most spam attacks happen through /misc folder and /includes folder. Spammers gain persistence (prolonged access) by known methods like:

  • Modifying files like index.php, wp-page.php, nav.php etc.
  • Adding new pages like leftpanelsin.php, cache.php etc.
  • Editing xmlrpc.php to avoid detection by webmasters.
  • Using base64 encoding to obfuscate code.
  • Hiding the spam files inside /images folder. Web crawlers don’t expect to see files here so it evades detection.
  • Appending dot before the file extension. Therefore, renaming the page as .somefile to get invisible.
  • Cloaking: Differentiating between web crawlers based on user-agent. As a result, the content seen by Googlebot is different than content seen by Mozilla user.
  • Using cron jobs to reinfect.

Results

  • Your website loses hard-earned reputation as a result of displaying Viagra and Cialis Ads.
  • You could get blacklisted by Google, which makes regaining reputation difficult.
  • Your users don’t trust your website.
  • Your search rankings take a hit and go down.
  • Your website begins to generate clicks for other websites that you’ve worked hard to get.

Google showing Pharma spam results for your website? Drop us a message on the chat widget and we’d be happy to help you fix it. Fix my website results now!

How to Fix the Drupal and WordPress Pharma hack

The Drupal and WordPress Pharma Hack is hidden. So, looking for infected files and removing them is going to be somewhat of a long, tedious task. Here’s what you should do to remove the hack:

Take a backup

Creating a complete backup of your website is a recommended practice. It might come in handy if anything goes wrong with the cleanup process. So, always make sure to have a backup strategy ready. The backup should essentially include the core files, the database, and plugin and themes files.

Scan your website for malware

Use online malware scanning tools like VirusTotal to flag the infection. You can also try Astra’s Malware Scanner for a more accurate scanning. This would flag all the malicious files and code in your website in minutes, and help escalate the malware removal process for you.

Remove any infected files

Connect to your hosting server through FTP. You can also use a file manager. Then, navigate to the /wp-contents/ folder and look for any hacked files in plugins.

The hacked files will have words like .class, .cache, .old in them to camouflage as plugin files. A dot (.) in front of the file name will make them hidden unless the “show hidden files” option is selected. Remove any such files.

Clear the temp directory

The /wp-contents/temp/ directory can appear as a result of the infection. Go to /wp-contents/temp/ and clear its contents. Hackers utilize the temp folder and TMP files to avoid any kind of corruption during the installation of malware.

Check the .htaccess file

The .htaccess file is a server configuration file. It defines the way server requests are processed. Hackers also utilize the power of the file to create backdoors into your website. Look out for code like this:

RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] #checks for Google, Yahoo, msn, aol and bing crawler
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ somehackfile.php?$1 [L] #redirects to a hack file

You can also regenerate the .htaccess file.

  1. Go to your WordPress dashboard.
  2. Click Settings, then select Permalink.
  3. Click Save!

Remove malicious code from the database

It is highly recommended that you create a backup before making any changes to the database. If you haven’t done it before, you should really do it now, as this step could be sensitive.

For this step, you could buy professional malware removal services or try to clean your database on your own.

  1. Go to phpMyAdmin
  2. Select the database
  3. Click on wp_options table
  4. Search for the malicious entries using the Search tab

Some malicious entries you should search for are:

  • wp_check_hash
  • class_generic_support
  • widget_generic_support
  • ftp_credentials
  • fwp

Note: Be very careful not to delete important information from the wp_options table, as it could cause your website to malfunction and crash.

Note: If you are not so well-versed with tech, it is better to consult experts for malware removal. You may not want t to mess your website with removing files you’re not sure about.

Look for and remove suspicious code

Suspicious-looking code often is one of the major causes for websites getting hacked. The sample code would probably look something like this:

<ul id="menu">

<li><a href="attackerdomain.com">Something1</a></li>

This kind of code redirects your website to an attacker-controlled domain. So it’s a good idea to check for any domains that are not familiar. This is one of the major causes of Drupal and WordPress pharma hacks.

Often the attackers hide their code in base64 to avoid detection. For example, attackerdomain.com would look something like “YXR0YWNrZXJkb21haW4uY29t”, making it hard to detect. In order to search for base 64 encodings in files, the grep command is helpful:

find . -name "*.php" -exec grep "base64"'{}'\; -print &> b64-detections.txt

This piece of code basically searches into the .php files of your choice for base64 encodings. Thereafter the result is stored in the file named b64-detections.txt. Finally, you can use online resource to decode these and see what was going on behind the scenes.

Clear the temp directory

Go to /wp-contents/temp/ and clear its contents. Hackers utilize the temp folder and TMP files to avoid any kind of corruption during the installation of malware.

Scan for content differences

You can use online plugins to scan for file changes. En example of such scanner is Exploit Scanner. It scans all core files and 3rd party files present in WordPress’ official repository for suspicious and unusual file names or entries.

After figuring out which files are hacked, you could either delete infected code or restore the plugin files. It is important to thoroughly clean the code – any malicious code left behind could reinfect your website.

How to Prevent the Drupal and WordPress Pharma Hack

  • Use strong passwords, because the breach may be due to default configurations.
  • Implement some sort of security solution.
  • Limit folder permissions to avoid unwanted access.
  • Disable any suspicious plugins.
  • If your core, plugin, or theme version is outdated, update!
  • Opt for regular Security Audits for your website.

Consult Astra security experts now for immediate malware clean up.

Was this post helpful?

Tags: , , , , , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] site also loses its valuable customers. A similar case was seen when Drupal was infected with the Pharma hack recently, where SEO spammers used its vulnerabilities to redirect users to pages selling viagra and […]

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany