Cleaning up an infected website – Part I: WordPress and the Pharma Hack

We get to deal with infected web sites on a daily basis and the most common question we get is how do we clean websites. What steps do we take? What should you do if you want to clean up your site if it gets infected?

This is part one of a small series of posts showing how to clean up sites. We will start with how to clean up “Pharma Hack” on a WordPress driven site due to the popularity. You can follow the series here: http://blog.sucuri.net/category/guides.

*Note that this post covers website clean up only (Mostly applicable to shared servers). If you have a dedicated server (or VPS), there are additional steps to secure it, not covered here.

**If the items contained in this post are more than you want to take on, we are here to help. Visit Sucuri or email us at support@sucuri.net

 

1- Detecting (discovering) that you are hacked

This is the most important step. Most people don’t realize they’ve been exploited, here are a couple things you can do to check your site:

Fire up Google and do a search for “site:yoursite.com”. Check to see if there are any strange titles or spammy results returned on your search. If you see Viagra, Cialis or any other flavor of medicine returned by Google on your search, you’re probably dealing with the Pharma Hack.

If you’re not sure after checking Google, use http://sitecheck.sucuri.net to run a scan. Type your domain name, and if it returns the Pharma Hack (or any other malware) you will see an alert:



 

2- Fixing Vulnerabilities

If you’re WordPress site is infected with the Pharma Hack, here are a few things you can do to fix some of the vulnerabilities:

1-Make sure your WordPress install is upgraded up to date. If not, update it ASAP. Even before you start cleaning up the malware.
2-Change your WordPress password (for all admin / editor accounts) and your FTP (or SSH) password.
3-Update all your plugins.

Check out our post on WordPress Security – Yet Another WordPress Security Post – Part One

 

3- Removing backdoors

This is the first step in the clean up process. These types of attacks often times include loading backdoor files on your server to allow access to attackers in the future. If you don’t remove the backdoors, the attackers will be able to reinfect your site pretty easily. These are the files to look for AND REMOVE:

wp-content/uploads/.*php (random PHP name file) – Any PHP file inside your uploads directory
wp-includes/images/smilies/icon_smile_old.php.xl
wp-includes/wp-db-class.php
wp-includes/images/wp-img.php

Also, search for the following characters in all your PHP files:

ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY
eval(base64_decode
$a = ‘m’.’d5′
$y = ‘base’.’6′

If any of these characters are found in one of your files, remove it.

 

4-Cleaning up the file system

After successfully creating a backdoor into your system, the attackers usually add a new plugin file that is called everytime WordPress is loaded. Here are some examples of the file names we see regularly:

akismet/wp-akismet.php
akismet/db-akismet.php
wp-pagenavi/db-pagenavi.php
wp-pagenavi/class-pagenavi.php
podpress/ext-podpress.php
tweetmeme/ext-tweetmeme.php
excerpt-editor/db-editor.php
akismet/.akismet.cache.php
akismet/.akismet.bak.php
tweetmeme/.tweetmem.old.php

The file names typically follow the above naming convention, but the plugin names used are random. We do not recommend you rely only on these samples for your search, and also try looking for any plugin file with the “wp_class_support” string on it.

$ grep -r “wp_class_support” ./wp-content/plugins
./wp-content/plugins/akismet/db-akismet.php:if(!defined(‘wp_class_support’)) {
./wp-content/plugins/akismet/db-akismet.php: define(‘wp_class_support’,true);

If you are infected, you will see things like the above output and you can safely delete them (full content of the file here):

 

5- Cleaning up the database

This is where the Pharma Hack actually loads the spam from. It uses a few entries inside the wp-options table, so connect to your database and run the following queries:

delete from wp_options where option_name = ‘class_generic_support’;
delete from wp_options where option_name = ‘widget_generic_support’;
delete from wp_options where option_name = ‘fwp’;
delete from wp_options where option_name = ‘wp_check_hash’;
delete from wp_options where option_name = ‘rss_7988287cd8f4f531c6b94fbdbc4e1caf’;
delete from wp_options where option_name = ‘rss_d77ee8bfba87fa91cd91469a5ba5abea’;
delete from wp_options where option_name = ‘rss_552afe0001e673901a9f2caebdd3141d’;

That should do it for database cleanup.

 

6- Verifying it all

After you are done with clean up, we suggest the following:

  1. Re-run the WordPress update tool (to overwrite all the files with a clean copy)
  2. Remove your cache files (if you’re caching your site)
  3. Go to your WordPress admin panel and remove any admin/editor users that aren’t supposed to be there, or that are no longer in use.
  4. Re-scan your site for malware. http://sitecheck.sucuri.net

You should be good to go at this point. If you have any question, let us know.

Check out our new plugin: http://sucuri.net/wordpress-security-monitoring

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.