WordPress and Drupal are probably the most popular CMS used to create websites. However, their popularity has made them juicy targets for hackers and SEO spammers. Hackers continuously try to manipulate search indexes to include undeserving content on prominent search positions. This Black Hat SEO technique is also dubbed as ‘WordPress Pharma hack or SEO Spam‘.

Why do they do this? The answer is simple. Online search is a major source of valuable referrals. And, SEO hacks are the easiest way to achieve this without putting in the necessary work. It secures hackers a legit place in the SERP. A recent case of “Pharma Hack” or “Pharma SEO Spam” has come light.

This attack redirects WordPress or Drupal websites to pages that display advertisements selling Viagra and Cialis. Sometimes there can be an infection of other sorts of pharma products too. However, Viagra and Cialis are the most common.

 

WordPress Viagra pharma hack

Viagra website hack: Is my website infected with the Viagra Hack?

SEO spam is difficult to detect because it is not visible to users or the webmasters. Spammers do everything to hide their work. This part is known as ‘Cloaking.’ However, there are ways you can check whether your website is infected or not. I have listed some of them here:

Check with Google Search

A list of affected websites can be displayed by a Google search with keywords viagra wp-page. But, as a result of the webmaster policies of Google, the affected website are not visible on the first page. So, you’ll have to scroll till page 3 to 4. If your website appears in the search, it means you are a victim of the Pharma SEO Spam.

This list not only includes infected websites but also displays fake pages. Clicking on such pages might redirect you to other pages or load the content on the same page as a result of infection.

To check which pages of your website is infected with viagra SEO spam. Add the keyword ‘viagra‘ with your domain name in google search i.e. viagra mydomain.com. Sometimes only a few pages on your website are infected, and those are not visible to you. This search will bring out those infected pages. In case they redirect to websites selling Viagra and Cialis, you are infected with SEO spam. Sometimes rather than redirecting, the content is loaded on the same page as a result of infection.

SEO pharma Drupal scam
Pharma Hack: Google search for ‘viagra’ and ‘wp-page

Check results as Google Bot

As stated, these spam pages are not visible on the search engine but certain user agents, like Googlebot, can see them. In order to view what the Googlebot see, you can use a browser User-Agent Switcher. You can install one for Chrome or Firefox.

  1. Install your favorite User-Agent Switcher add-on
  2. Navigate to the infected webpage
  3. Edit the User-Agent string to any of the ones given below:
    a) Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    b) Googlebot/2.1 (+http://www.google.com/bot.html)
  4. Right-click on the page and view the page source. This will enable you to see the redirect.

Note: Keeping the User-Agent Switcher active for long could get you blocked or blacklisted from websites that maintain proper security because you will appear as Googlebot to them.

Drupal Pharma Hack: Anatomy of a Drupal Spam Results:

Occurrence

The attacker first exploits a known vulnerability or a zero-day exploit. Here is an exhaustive list of things that can go wrong in such a case. Hence, to simplify a few most common ones are:

  1. SQL injections or XSS occur because of faulty coding standards. You probably wanna keep a tab on these two.
  2. Weak account or FTP passwords are the second major cause. Recently Github repository of Linux Gen too was hacked as a result of weak credentials.
  3. Most of the time content listing and error display is enabled. As a result of which crucial files are openly readable on the net.
  4. Unpatched or outdated plugins are one of the major causes of WordPress and Drupal hacks. So you probably wanna stay updated.

Persistence

Drupal pharma hack works by altering the contents of the root directory. Most spam attacks happen through /misc folder and /includes folder. Spammers gain persistence (prolonged access) by known methods like:

  • Modifying files like index.php, wp-page.php, nav.php etc.
  • Adding new pages like leftpanelsin.php, cache.php etc.
  • Editing xmlrpc.php to avoid detection by webmasters.
  • Using base64 encoding to obfuscate code.
  • Hiding the spam files inside /images folder. Web crawlers don’t expect to see files here so it evades detection.
  • Appending dot before the file extension. Therefore, renaming the page as .somefile to get invisible.
  • Cloaking: Differentiating between web crawlers based on user-agent. As a result, the content seen by Googlebot is different than content seen by Mozilla user.
  • Using cron jobs to reinfect.

Result

  • Website loses reputation as a result of displaying Viagra and Cialis Ads.
  • Blacklisted by Google.
  • Untrusted by users.
  • Search rankings go down.
  • Generates clicks for other websites.

Google showing Pharma spam results for your website? Drop us a message on the chat widget and we’d be happy to help you fix it. Fix my website results now.

What to do in case of  Drupal & WordPress Pharma hack?

Pharma Hack is hidden and so looking for infected files and removing them is going to be a long, tedious task. Here’s what you should do to remove the hack.

Restore Backup

Creating a complete backup of your website is a recommended practice. It might come in handy if anything goes wrong with the cleanup process. So, always make sure to have a backup strategy ready. The backup should essentially include the core files, the database, and plugin and themes files.

Scan website for Malware

Use online malware scanning tools like VirusTotal to flag the infection. You can also try the Astra’s Malware Scanner a more accurate scanning. This would flag all the malicious files and codes in your website in minutes. This would help escalate the malware removal process for you.

Remove Infected Files

  1. Connect to your hosting server through FTP. You can also use a file manager.
  2. Navigate to the /wp-contents/ folder
  3. Find hacked files in plugins. The hacked files will have words like .class, .cache, .old in the middle to camouflage as plugin files. A dot (.) in front of the file name will make them hidden unless “show hidden files” option is selected.
  4. Remove such files.

Clear the temp directory

The /wp-contents/temp/ directory can appear as a result of the infection. Go to /wp-contents/temp/ and clear its contents. Hackers utilize temp folder and TMP files to avoid any kind of corruption during the installation of malware.

Check the .htaccess file

The .htaccess file is a server configuration file. It defines the way server requests are processed. Hackers also utilize the power of the file to create backdoors into your website. Look out for codes like these:

RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] #checks for Google, Yahoo, msn, aol and bing crawler
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ somehackfile.php?$1 [L] #redirects to a hack file

You can also regenerate the .htaccess file.

  1. Go to WordPress dashboard
  2. Click settings
  3. Select permalink
  4. Click save

Remove malicious code from the database

It is recommended that you create a backup before making any changes to the database. You could buy professional malware removal services or try to clean your database on your own.

  1. Go to phpMyAdmin
  2. Select the database
  3. Click on wp_options table
  4. Search for the malicious entries using the Search tab

The malicious entries you should search for are:

  • wp_check_hash
  • class_generic_support
  • widget_generic_support
  • ftp_credentials
  • fwp

Note: Be very careful not to delete important information from the wp_options table. It could cause your website to malfunction and crash.

Note: If you are not much versed with tech, it is better to consult experts for malware removal. You may not want t to mess your website with removing files you’re not sure about.

Search and Remove Fishy Codes

The sample code would probably look something like this:

<ul id="menu">

<li><a href="attackerdomain.com">Something1</a></li>

This kind of code redirects your website to an attacker-controlled domain. So check for any domains that are not familiar. This is one of the major causes of pharma hack WordPress.

Often the attackers hide their code in base64 to avoid detection. For example, the attackerdomain.com would look something like: YXR0YWNrZXJkb21haW4uY29t making it hard to detect. In order to search for base 64 encodings in files the grep command is helpful:

find . -name "*.php" -exec grep "base64"'{}'\; -print &> b64-detections.txt

This piece of code basically searches into the .php files of your choice for base64 encodings. Thereafter the result is stored in the file named b64-detections.txt. Finally, you can use an online resource to decode this and see what was going on behind the scenes.

Clear the temp directory

Go to /wp-contents/temp/ and clear its contents. Hackers utilize temp folder and TMP files to avoid any kind of corruption during the installation of malware.

Scan for content differences

You can use online plugins to scan for file changes. En example of such scanner is Exploit Scanner. It scans all core files and 3rd party files present in WordPress official repository for suspicious and unusual file names or entries.
After figuring out which files are hacked you could either delete infected codes or could restore the plugin files. It is important to thoroughly clean the codes for any left behind the hacked file could reinfect your website.

What can you do to prevent the Pharma SEO Hack

  • Use strong passwords because the breach may be due to default configurations.
  • Implement some sort of security solution.
  • Limit folder permission to avoid pharma hack WordPress.
  • Disable any suspicious plugins.
  • If your version is outdated Patch! Patch! Patch!
  • Opt for regular Security Audits for your website.

Consult Astra security experts now for immediate malware clean up.

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

1 Comment

  1. The Ultimate Drupal Security Practices and Malware Removal Guide - Astra Web Security - Reply

    […] site also loses its valuable customers. A similar case was seen when Drupal was infected with the Pharma hack recently, where SEO spammers used its vulnerabilities to redirect users to pages selling viagra and […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close