Vigra & Cialis spam results

WordPress and Drupal are probably the most popular CMS used. Besides that, their popularity makes them good targets for SEO spammers. Multiple vulnerabilities in Drupal have been uncovered in the past few weeks. As a result  SEO spammers target websites on these platforms. This is a Black Hat SEO technique also dubbed as ‘WordPress Pharma hack or SEO Spam‘. This attack redirects WordPress or Drupal websites to pages that display advertisements selling viagra and cialis. In the words of Brian Krebs the author of the famous book Spam Nation

“Like many, I had thought that much of the pharmaceutical spam it was simply an issue of clueless end-users clicking on spam and getting scammed. This is where the second storyline comes in.”

WordPress Pharma Hack: How are websites infected with SEO Spam displayed by Google?

Most importantly this attack is difficult to detect because it is not visible directly while visiting a website. Seems like a list of affected websites can be displayed by a Google search with keywordsviagra wp-page. As a result of the webmaster policies of Google, the affected website won’t be displayed on the first page so scroll till page 3 to 4.

SEO pharma Drupal scam
Pharma Hack: Google search for ‘viagra’ and ‘wp-page

While these websites are infected with SEO spam some might be fake pages. As a result of clicking on them might redirect you to other pages. Sometimes rather than redirecting, the content is loaded on the same page as a result of infection.

Google show Pharma spam results for your website? Drop us a message on the chat widget and we’d be happy to help you fix it. Fix my website results now.

Drupal Pharma Hack: Anatomy of a Drupal Spam Results:

Occurrence

The attacker first exploits the website by a known vulnerability or zero-day exploit. Furthermore, there is an exhaustive list of things that can go wrong. Hence to simplify a few most common ones are:

  1. SQL injections or XSS occur because of faulty coding standards. You probably wanna keep a tab on these two.
  2. Weak account or FTP passwords are the second major cause. Recently Github repository of Linux Gentoo was hacked as a result of weak credentials.
  3. Most of the time content listing and error display is enabled. As a result of which crucial files are openly readable on the net.
  4. Unpatched or outdated plugins are one of the major causes of WordPress and Drupal hacks. So you probably wanna stay updated.

Persistence

Drupal pharma hack works by altering the contents of the root directory. Furthermore, persistence is gained by known methods like:

  • Modified files like index.php, wp-page.php, nav.php etc.
  • Adding new pages like leftpanelsin.php, cache.php etc.
  • Editing xmlrpc.php to avoid detection by webmasters.
  • Using base64 encoding to obfuscate code.
  • Hiding the spam files inside /images folder. Web crawlers don’t expect to see files here so it evades detection.
  • Appending dot before the file extension. Therefore, renaming the page as .somefile to get invisible.
  • Cloaking: Differentiating between web crawlers based on user agent. As a result, the content seen by Googlebot is different than content seen by Mozilla user.
  • Using cron jobs to reinfect.

Result

  • Website loses reputation as a result of displaying viagra and cialis Ads.
  • Blacklisted by Google.
  • Untrusted by users.
  • Search rankings go down.
  • Generates clicks for other websites.

What to do in case of  Pharma hack?

Check if your website is infected with viagra SEO spam. Add the keyword ‘viagra‘ before your domain name in google search i.e.viagra mydomain.comSometimes only a few pages not visible to you are infected. This search will bring out those pages. In case they redirect to viagra and cialis hack websites you are infected with SEO spam. Sometimes there can be an infection of other sorts of pharma products too. Besides, that viagra and cialis are the most common.

  • Restore the files from backup.
  • Keep your files up to date.
  • Disable any suspicious plugins.
  • Clear the temp directory /wp-contents/temp/ as a result of infection.
  • Use Google webmaster tools to analyze your website. Probably, look out for the sudden traffic spike.
  • Use plugins to scan your contents.
  • Use online tools to disinfect your website from pharma hack WordPress.
  • Besides that check out for fishy codes inside your files. In order to explain this, the sample code would probably look something like this:

<ul id="menu">

<li><a href="attackerdomain.com">Something1</a></li>

This kind of code that is the one redirecting your website to an attacker-controlled domain. So probably check for any domains other than your domain. This is one of the major causes of pharma hack WordPress.

Or often the attackers love to hide their code in base64 to avoid detection because the attackerdomain.com would look like:YXR0YWNrZXJkb21haW4uY29t making it hard to detect the attacker domain. Similarly, in order to search for base 64 encodings in files the grep command is helpful as following:

find . -name "*.php" -exec grep "base64"'{}'\; -print &> b64-detections.txt

This piece of code basically searches into the .php files of your choice for base64 encodings. Thereafter the result is stored in the file named b64-detections.txt. Finally, you can use an online resource to decode this and see what was going on behind the scenes.

What to do if you are infected with Pharma SEO Spam?

  • Use strong passwords because the breach may be due to default configurations.
  • Implement some sort of security solution.
  • Limit folder permission to avoid pharma hack WordPress.
  • If your version is outdated Patch ! Patch ! Patch!.

Above all, manually checking files and cleaning database is a tedious task.

Consult Astra security experts now for immediate malware clean up. Our powerful Firewall safeguards your website from XSS, LFI, RFI, SQL Injection, Bad bots, Automated Vulnerability Scanners and 80+ security threats. Secure my website now.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

1 Comment

  1. The Ultimate Drupal Security Practices and Malware Removal Guide - Astra Web Security - Reply

    […] site also loses its valuable customers. A similar case was seen when Drupal was infected with the Pharma hack recently, where SEO spammers used its vulnerabilities to redirect users to pages selling viagra and […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close