A client called us today saying Cialis had taken over his website. Well not literally, but the keeping-it-up drug was suddenly getting prominent ad space in the header of his website just below the search bar.
Our client didn’t wake up one morning and decide to start spreading the word about the cure for a sleepy willy. Some industrious hacker decided to weasel his way into the website for some easy traffic and free link juice.
When scum like this is hanging around, its time to shuffle your priority list and head into cleanup mode. First, I checked the passwords to the administrator account in WordPress which yielded a strong, complex password. We did the same for the FTP account and mySQL database login which were equally hacker unfriendly. For good measure, we changed the password for all accounts to rule out these possible access points. Regardless of how stringent you feel your passwords are, its not much of a cleanup if you find the spam magically popping up again tomorrow.
Since the link was showing up in the header, I obviously took a quick look in the header.php file and, as suspected, nothing was present where the offending link was showing up. Sometimes I hate being right, but hackers don’t want these links to be found much less disabled. They will tangle this code into the guts of your WordPress install to make it as hard as possible to remove. Next, I checked the uploads folder which didn’t have any sinful files loitering around. I also disabled all of the plugins thinking one of them was vulnerable and channeling this link. Still, the link persisted. I ran Sucuri Scanner against the site, and it got their shiny seal of approval — No spam exists. Umm…your confidence is inspiring, but my eyes tell me otherwise.
In my quest for information on Google, I ran across people who lost nine hours trying to pinpoint embedded pharmaceutical spam links like I was fighting. I didn’t have nine hours to spare. I consulted with the client and asked if he could stomach his website being temporarily offline for around thirty minutes. The alternative was to keep telling his customers about the super low cost options for curing the floppy jalopy. With confirmation firmly in hand, I proceeded to download all of the website files to my local drive and delete them on the web host. Once I had a clean slate to work with, I reinstalled a fresh copy of the latest build of WordPress and updated the database connection. Then I started uploading the theme from my backup. My FTP program immediately started catching file after infected file within the theme directory. These gutless wonders were hiding out in the epanel, css and images folder. There were ten infected files in all that you can see listed below. Sanitizing these files made the theme useless so I deleted all of these files and loaded up a copy of the theme from an older backup.
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 content-archive.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/content-archive.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 ie6style_prevv1.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/css/ie6style_prevv1.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 entry-funcs.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/epanel/js/entry-funcs.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 et_search_icon_indesit.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/epanel/page_templates/images/et_search_icon_indesit.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 fancy_shadow_w_backup.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/epanel/page_templates/js/fancybox/images/fancy_shadow_w_backup.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 shortcodes_old.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/epanel/shortcodes/css/shortcodes_old.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 editor_plugin.dev_backup.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/epanel/shortcodes/js/editor_plugin.dev_backup.php
550-Virus Detected and Removed: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL
550 functions.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/functions.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 logo_old.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/images/green/logo_old.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 5040933834_75a7df1ebb_b_ver1.php: Operation not permitted
: /public_html/domainname/wp-content/themes/DelicateNews/sampledata/sample_images/5040933834_75a7df1ebb_b_ver1.php
The theme files weren’t the only ones infected. When I started loading plugins, similar virus messages kept popping up (also below). Simply put, this sucker is nasty. If you were doing this cleanup by hand, you would have hit that first file and thought to yourself, “hotdog I’ve got this thing solved.” Yet cleansing that single file would have ultimately make zero difference. The whole install was fubar so that is why it was best to start with a fresh WordPress instance.
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL
550 loadmeta.php: Operation not permitted
: /public_html/domainname/wp-content/plugins/limit-login-attempts/loadmeta.php
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL
550 wrapwidget.php: Operation not permitted
: /public_html/domainname/wp-content/plugins/wp-db-backup/wrapwidget.php
I know these viruses morph in the wild to stay a step ahead of security companies. There was little information available online about this particular viral creation. I found a WordPress forum post and a half dozen or so people searching out a coder on freelancer.com and Elance to help them clean up this headache on their websites. I think this wily wildebeest just popped up this month. I guess this hacker got a lump of coal in his stocking for Christmas and is now out to spread some morning glory.
Don’t visit the following site or the hackers win. Not to mention there is no telling what kind of rootkits or viruses this site might unleash on your computer. For documentation purposes, the link in question pointed back to http://showbizoo.com and the exact spammed text was “cialis 20 mg cost.” Hackers, do you really need to trash people’s websites to combat the national blackhawk down epidemic?
If anyone else has encountered this strand of nastiness, please let me know in the comments below.
20 Comments on "Hack Cleanup: Pharma Link Spam Embedded in WordPress"
taidgh
January 18, 2015Same here.
The surplus infected files are all created at random times.(cannot search by most recent file).
.HTACCESS has been changed to allow CMD in /wp-includes/images/smilies/
There are multiple backdoors in similar folders.
Every theme has had functions changed.
I guessed that they got in through an insecure "revslider" plugin*.
Infected 3 wordpress websites on the same hosting account.
No links to spamsite, no clue that site had been hacked until the "Drinkers Curse" pages appeared in Majestic sitelinks.
Its a clever one, hides from the owner to continue taking advantage.
i know how clever i am but not arrogant to assume that the spammer is in any way stupid.
Im doing a backup of posts and pages (then search xml for anything dodgy)
Backup and scan of images.
Fresh WP installs.
CloudFlare, Wordfence and HidemyWP
Change every password.
*not in ANY way blaming the good people at Themepunch as the owner didn't update WP or plugins.
Mark Runyon
January 19, 2015Thanks for your letting us know about your experience Taidgh. We are still a little perplexed as to how they got in. There was no Revslider on the client site. Wordpress and all the plugins were up to date. All passwords in question were computer generated 20 character strings comprised of letters, digits and special characters. The web host said they weren't compromised, but who knows for certain. This was strange.
Bo
January 25, 2015This same thing hit me. Every scan says no malware but my link was for viagra and pointed to a site for an air conditioning company in Texas. It is so wacky and I too have to delete everything and do a new Wordpress install. My host was of no help, their support is dreadful. I think the problem is with them and not my site. Their support ticket showed infected files in themes that I delete months ago yet they claim they scanned my site today and found them. It's not possible. This whole thing is a nightmare. I too have secure passwords, I do not have revslider either.
Glen
January 29, 2015Where the sites hosted on netfirms by any chance?
I've had an account on netfirms get hacked with this, none of my other websites though with different providers. I have also had a friends website on netfirms hacked with this same code - it looks like they have a security vulnerability to me.
Love to get your feedback, if it is a hosting issue, I want them to fix it.
Mark Runyon
February 2, 2015Glen,
The site in question for me was iPower. I haven't used Netfirms before so its hard to say.
Rebecca
April 6, 2015My sites are on netfirms. Not happy at all.
Daren
April 19, 2016Yes- I have several hosts and this only happens to me on Netfirms. And I use iThemes security right from the start of every site, update plugins etc immediately. I was starting to suspect Netfirms.
stacy
January 30, 2015This hit 67 of my sites on one account with Ipage, 35 sites on another, and this is after having re-build 25 sites in late December due to the same infection. If we could figure out which plugins are causing this, maybe we could at least temporarily eradicate it. I can't tell you the lost hours and downtime that this has caused. I am now to the point where I just open a new account on Ipage, Fatcow, etc., and put up a new WP build, add basic plug-ins and copy my old posts into place. Time-consuming, but the only way to get rid of it, I guess. By the way, all of the hosts I am working with could not have been any less helpful. I love how they just shut you down and don't notify you for 24+ hours. God-willing, the infections will knock them out one day, too.
Mark Runyon
February 2, 2015Ouch. That is a lot of sites to clean-up. Stacy, you bring up an interesting point about vulnerable plugins. It would be interesting to see if there are any commonalities with plugins that keep showing up on infected sites. For me, the plugins were pretty bare bones on the compromised website:
Flare, Yoast SEO, Limit Login Attempts, Anti-Spam & WP DB Backup
Lew
February 25, 2015I'd love to know what FTP program you're using that catches these files. Filezilla seems to ignore them. Does WinScp provide anti-virus or another choice for FTP client?
I too was hit by JCDEF.Obfus.CreateFunc.BackDoorEval - 20 sites. Major PITA. My clients are not happy at all the time it is taking to restore their sites. Ipage did not notify me at ALL, just woke up one day and my account was suspended. They claim they sent me an email, but there was nothing even in my spam and junks folders from them. They are pimping me to buy Sitelock and some $200 scan service. Not happy with Ipage lately, used to be a good company.
Mark Runyon
February 26, 2015Sorry to hear it Lew. I was using FireFTP which is an add on extension for Firefox. I'm not sure what kind of virus catcher they've got built in, but it did the job at catching those files.
Rebecca
April 6, 2015Same thing here LEW but only 5 sites (2 I needed to keep)
Jack
February 28, 2015Guess What?
It is the Hosting Companies (Not all) that injects the infections into your website files, wordpress, joomla etc.
and then they will ask you to pay a monthly fee for each domain to secure your site...
Hosting companies have all sorts of tricks to play with you. They can disable your sql databases and wait until you get in touch with them, and they will offer you a deal for a better (more money) hosting account or upgrade to this and that and the other to get more and more money of you. This happens all the time. Unfortunately we are stuck with them, Not sure which Hosting company is the best out there at the moment as they all play the same game.
DmitryK
July 22, 2015I'm sorry for the mistakes, I do not know much English. I have today the same trouble with a host ipage.com. I think that they have done so, to claim $ 9.99 per month for a subscription to their antivirus software useless.
Philip
August 17, 2015I guessed as much and even went ahead to accuse them but they denied flatly. All my WordPress sites with iPage got infected and the company has not been helpful at all. Once I get this sorted out, I'll move my sites away from them. Bluehost and Siteground seem to be more reliable, especially Bluehost. Meanwhile, I'll be grateful if anyone would be willing to help me clean up the sites or provide easy-to-follow steps together with how to prevent this subsequently. Thanks.
S.b
June 20, 2015i have same issue....this is not work of any hackers....I wasted 2-3 days and still solving infected created fake garbage php files. more than 434.... its Ipage fu..cking ... this is the way doing money, offering and pushing Sitelock to clean it up for you..which cost almost 200 usd..... no way someone might attack my websites..with all cases.. just cheap company making money marketing ... I will never recommend ipage to anybody ... garbage service.. dog-shit sellers..
Matt
July 9, 2015iPage also screwed me on this one. I purchased SiteLock for the first year I had my site, after my SiteLock subscription was auto-renewed without my consent I contacted them saying I no longer needed the service. 1 month later, boom site is "infected with malware" their suggestion...SiteLock, convenient. No way to prove it was them, brutal. DO NOT HOST WITH IPAGE!!
kn00tcn
July 18, 2015i'm late to the party, but it looks like people are not noticing that it's THE SAME HOST, endurance international group! ipage, fatcow, ipower, netfirms, these are ALL brands of the same company with the exact same malware
i have dealt with a few sites myself, same 5kb php files, no the ftp client is not capable of scanning, it's the host that blocks the write
i am curious if plugins like 'wordfence' detect the files since they dont look particularly useful by themselves (not all the sites i dealt with had an altered functions.php which appears to be the only entry point, the random files are either useless by themselves or bogus or a test for a future attack)
at first i was thinking it was CF7 or yoast SEO, but it really seems to be a host exploit, a WP exploit, or a scam from the company since they are certainly not trustworthy if their whole business is buying out other brands
GenInFrance
July 27, 2015I am certain they are doing this to boost sales of Site Lock - it's scandalous. All my folders were 755 and files were 644. And my passwords are secured. And again - the dates are from 2011 and 2012. Only someone with access to the host server can actually make these kinds of updates.
Don't buy Site Lock !!! And just change to another hosting company that simply will charge a fair price for hosting the site rather than bugging you with bullshit and wasting your time, money and site reputation to sell you a tool you only need to protect you from YOUR OWN WEB HOST. Shameful !!! Is illegal -but how to prove it ?
Lorence
December 14, 2015I've just had the same issue with iPage.. absolutely fkn over it..... trying to figure out how to clean this mess up.... apparantly they tried contacting me... the sites have been down for 3 months and i've received NO contact.. (apparantly they e-mailed me? gmail search finds nothing).... granted the sites aren't that active.. but i need them up when i do decide to send our links to them.
L