More information on Pharma Hack on WordPress

UPDATE:  This is an update post – the first one can be found at Pharma Hack Fix for WordPress.

Its been a fun few days as I have been “fighting” with a hacker/black hat SEO person trying to use my blog to sell viagra.  But my friend David and I were able to catch the, with their hand in my wordpress cookie jar.

How did they do a Pharma Hack on WordPress

Basically they compromised the server somehow – I have not figured out which method yet. But it appears they have/or had FTP access.  There were two files uploaded:  auto.php, keyboard.php and one item modified: wp-load.php.

Each day the hackers upload a new version of the file.

So, for the first 2 days I left the FTP the same…I just wanted to see how the hacker was gaining access.  I didn’t figure it out – but I simply changed permissions and that didn’t help.   Tonight I changed the FTP password – so we will see if that helps.

How to fix the Pharma Hack on WordPress

I’m not sure I know yet.  The first thing I have done is add a 301 redirect from auto.php and keyboard.php to my latest post regarding this issue.

RewriteRule ^auto\.php [R=301,L]
RewriteRule ^keyboard\.php [R=301,L]

This will allow me to capitalize on the hack and not allow the hacker to steal all the traffic.

Stay tuned

We will see how this comes out – I need to inspect the plugins – it seems like it is the obvious solution.

Thanks for reading.

Pharma Hack Fix for WordPress

Pharma Hack Fix for WordPress

Pharma Hack Fix for WordPressI really thought I was doing a good job…starting build my traffic back up to the levels I had seen about 18 months prior, then I saw my numbers drop.  I had been hacked – someone was replacing my links/Google descriptions and sealing my search links and link juice.

My Pharma Hack Fix for WordPress

I’ll be detailing out what happned – how I found it and all the gory details soon.  The short-short answer was the hackers had added a “auto.php” and “keyboard.php” to my root – then modified the “wp-load.php” file to do all their bidding.

Hacking Backlinks

Albeit very Black Hat SEO, the hackers who hacked my WordPress server were very smart and had a very elaborate plan.  They were using many hacked servers to drive links around to high PR (Google Page Rank) sites and creating better link juice.  I’ll explain more in  an additional post.

The Hack – Phase I

It is really a brilliant plan.  If it weren’t so illegal – it would be perfect.  As far as I can tell, they employee a 3 stage process.  (Thanks for the help figuring this all out from my friend David, who is a super knowledgeable dude with this sort of stuff.)

The system has three components –  encrypted php in antu.php and keyboard.php (my guess these files could be named almost anything) and then another bit of encrypted code in wp-load.php.

Notice all the links and then the URL’s

auto.php & keyboard.php
This is used to suck current SERP traffic from google.  With this “auto.php” and “keyboard.php” they are cloaking the Google bot – so basically, when people search google for my content or search google at all and return results – it it redirects to a site selling Viagra or Cialis.

If you take a look in Google Webmaster Tools you will see how effective they have been.  There are all kinds of links for these terms.  Its crazy – very impresive really.

Not cool – but look at how effective they ahve been…check out those stats.

But they also employ a second tool – in the “wp-load.php”.  I think this is what communicates back to the mothership and allows them to manipulate SERPs and URLs the way tehy do.

See the encrypted code here: (same thing you will find in auto.php and keyboard.php)

Encoded black hat SEO code

So what the heck is a guy to do?

Well – good question.  This is where my buddy David comes to the rescue.  His SEO knowledge/instinct told us not to waste this huge spillage of Google Juice.  If they want to give us lemons – we’ll make some good old fashion SERP lemonaid.

301 Redirects & commenting out some code.
We added two lines to the .htaccess file and started to redirect all the traffic from those links to this post.  Hopefully – that is how you found it.  :)

RewriteRule ^auto\.php [R=301,L]
RewriteRule ^keyboard\.php [R=301,L]

By adding these – we have reversed the outward flow of traffic.

Then – for the wp.load.php
For this guy I simply commented out the  section circled in blue above.  It does appear that the SEO hackers do try and keep fixing this issue – I am testing a few things here.  I am trying to figure out if they have FTP access – or are simply using a vulnerability of a plugin.

Non WordPress Hacks

After looking over all the results of these files in Google – it certainly appears that this reaches much further than simply WordPress.  It appears to be links to many Apache/PHP sites.  It certainly seems the base of the hack is the same – look for auto.php, keyboard.php – then for a file modified on the same day as those two and I think you fill find the culprit.

Please let me know if you need help…I will assist if I can.



This has been a wild day, but fun all in the same.  It is very interesting how smart some people are.  This is a engineering marvel – this is not some fluke, this this is serious – don’t think so…so a search for auto.php and keyboard.php and see how widespread the carnage…very impressive.

Let me know if you have comments or have been bitten by this bug.