Pharma Hack Fix for WordPress

Pharma Hack Fix for WordPressI really thought I was doing a good job…starting build my traffic back up to the levels I had seen about 18 months prior, then I saw my numbers drop.  I had been hacked – someone was replacing my links/Google descriptions and sealing my search links and link juice.

My Pharma Hack Fix for WordPress

I’ll be detailing out what happned – how I found it and all the gory details soon.  The short-short answer was the hackers had added a “auto.php” and “keyboard.php” to my root – then modified the “wp-load.php” file to do all their bidding.

Hacking Backlinks

Albeit very Black Hat SEO, the hackers who hacked my WordPress server were very smart and had a very elaborate plan.  They were using many hacked servers to drive links around to high PR (Google Page Rank) sites and creating better link juice.  I’ll explain more in  an additional post.

The Hack – Phase I

It is really a brilliant plan.  If it weren’t so illegal – it would be perfect.  As far as I can tell, they employee a 3 stage process.  (Thanks for the help figuring this all out from my friend David, who is a super knowledgeable dude with this sort of stuff.)

The system has three components –  encrypted php in antu.php and keyboard.php (my guess these files could be named almost anything) and then another bit of encrypted code in wp-load.php.

Notice all the links and then the URL’s

auto.php & keyboard.php
This is used to suck current SERP traffic from google.  With this “auto.php” and “keyboard.php” they are cloaking the Google bot – so basically, when people search google for my content or search google at all and return results – it it redirects to a site selling Viagra or Cialis.

If you take a look in Google Webmaster Tools you will see how effective they have been.  There are all kinds of links for these terms.  Its crazy – very impresive really.

Not cool – but look at how effective they ahve been…check out those stats.

But they also employ a second tool – in the “wp-load.php”.  I think this is what communicates back to the mothership and allows them to manipulate SERPs and URLs the way tehy do.

See the encrypted code here: (same thing you will find in auto.php and keyboard.php)

Encoded black hat SEO code

So what the heck is a guy to do?

Well – good question.  This is where my buddy David comes to the rescue.  His SEO knowledge/instinct told us not to waste this huge spillage of Google Juice.  If they want to give us lemons – we’ll make some good old fashion SERP lemonaid.

301 Redirects & commenting out some code.
We added two lines to the .htaccess file and started to redirect all the traffic from those links to this post.  Hopefully – that is how you found it.  :)

RewriteRule ^auto\.php [R=301,L]
RewriteRule ^keyboard\.php [R=301,L]

By adding these – we have reversed the outward flow of traffic.

Then – for the wp.load.php
For this guy I simply commented out the  section circled in blue above.  It does appear that the SEO hackers do try and keep fixing this issue – I am testing a few things here.  I am trying to figure out if they have FTP access – or are simply using a vulnerability of a plugin.

Non WordPress Hacks

After looking over all the results of these files in Google – it certainly appears that this reaches much further than simply WordPress.  It appears to be links to many Apache/PHP sites.  It certainly seems the base of the hack is the same – look for auto.php, keyboard.php – then for a file modified on the same day as those two and I think you fill find the culprit.

Please let me know if you need help…I will assist if I can.



This has been a wild day, but fun all in the same.  It is very interesting how smart some people are.  This is a engineering marvel – this is not some fluke, this this is serious – don’t think so…so a search for auto.php and keyboard.php and see how widespread the carnage…very impressive.

Let me know if you have comments or have been bitten by this bug.