featured post

More information on Pharma Hack on WordPress

UPDATE:  This is an update post – the first one can be found at Pharma Hack Fix for WordPress.

Its been a fun few days as I have been “fighting” with a hacker/black hat SEO person trying to use my blog to sell viagra.  But my friend David and I were able to catch the, with their hand in my wordpress cookie jar.

How did they do a Pharma Hack on WordPress

Basically they compromised the server somehow – I have not figured out which method yet. But it appears they have/or had FTP access.  There were two files uploaded:  auto.php, keyboard.php and one item modified: wp-load.php.

Each day the hackers upload a new version of the file.

So, for the first 2 days I left the FTP the same…I just wanted to see how the hacker was gaining access.  I didn’t figure it out – but I simply changed permissions and that didn’t help.   Tonight I changed the FTP password – so we will see if that helps.

How to fix the Pharma Hack on WordPress

I’m not sure I know yet.  The first thing I have done is add a 301 redirect from auto.php and keyboard.php to my latest post regarding this issue.

RewriteRule ^auto\.php http://tomaltman.com/more-information-on-pharma-hack-on-wordpress?da=1 [R=301,L]
RewriteRule ^keyboard\.php http://tomaltman.com/more-information-on-pharma-hack-on-wordpress?da=1 [R=301,L]

This will allow me to capitalize on the hack and not allow the hacker to steal all the traffic.

Stay tuned

We will see how this comes out – I need to inspect the plugins – it seems like it is the obvious solution.

Thanks for reading.


3 Responses to “More information on Pharma Hack on WordPress”

  1. any updates?

    The pharma hacks originates via the database. Once your site is hacked changing the password will prevent a future hack (hopefully) but not get rid of the current hack easily.

    Victims are often forced to change servers.

    Posted by Miki | November 2, 2012, 7:04 am
  2. I’m not sure I agree that it begins with the database. Most of the recent hacks were due to vulnerabilities with the timthumb script. It allow people to “overload” the script and it would kind of bend – allowing the hacker to add files to the website.

    The files added were then used to manipulate the site. The site would appear normal to the regular user, but if Google indexing with their bot, it would show some Canadian Pharmacy or Calais ads. That is why a good majority of people never know they are hacked.

    If you have specific questions Miki – I’d be happy to answer them…but there are really no updates other than you have to keep an eye on your site.

    Posted by tom | November 2, 2012, 8:53 am


  1. […] I kind of enjoy watching the techniques the rascals use to do it.  I have written about the WordPress Pharma Hack in the past – you can catch up […]

Post a comment