UPDATE: This is an update post – the first one can be found at Pharma Hack Fix for WordPress.
Its been a fun few days as I have been “fighting” with a hacker/black hat SEO person trying to use my blog to sell viagra. But my friend David and I were able to catch the, with their hand in my wordpress cookie jar.
How did they do a Pharma Hack on WordPress
Basically they compromised the server somehow – I have not figured out which method yet. But it appears they have/or had FTP access. There were two files uploaded: auto.php, keyboard.php and one item modified: wp-load.php.
Each day the hackers upload a new version of the file.
So, for the first 2 days I left the FTP the same…I just wanted to see how the hacker was gaining access. I didn’t figure it out – but I simply changed permissions and that didn’t help. Tonight I changed the FTP password – so we will see if that helps.
How to fix the Pharma Hack on WordPress
I’m not sure I know yet. The first thing I have done is add a 301 redirect from auto.php and keyboard.php to my latest post regarding this issue.
RewriteRule ^auto\.php http://tomaltman.com/more-information-on-pharma-hack-on-wordpress?da=1 [R=301,L]
RewriteRule ^keyboard\.php http://tomaltman.com/more-information-on-pharma-hack-on-wordpress?da=1 [R=301,L]
This will allow me to capitalize on the hack and not allow the hacker to steal all the traffic.
We will see how this comes out – I need to inspect the plugins – it seems like it is the obvious solution.
Thanks for reading.