Hung Truong: The Blog!

Pharma Hack Update: Finally Gone

January 13, 2013 | 4 Minute Read

A good while ago, I wrote a blog post about how my blog was pharma hacked, and I thought I had gotten rid of it. I was actually extremely wrong, and it’s taken about half a year of off/on again fiddling to get rid of the infection for good. I thought I’d write up what I did in case anyone else has issues with this hack.

In order to remove it, I tried searching for solutions from other bloggers. They got me to a certain point, but after following the directions and letting my blog sit for a week or so, I’d use the Google Webmasters feature to “fetch as Googlebot” and find that my site was reinfected.

Here’s a step by step summary of what I had to do to finally get rid of the nasty pharma hack.

I downloaded the latest tar.gz from WordPress here and extracted it to my root web directory. My blog lives in the subfolder “/blog/” so I just moved the wp-config.php file from /blog/ to the /wordpress directory, then I renamed the blog folder to something else and renamed wordpress to blog. I found that I’d also have to re-set the permalink settings to get pages besides my home page to show up correctly.

My main mistake was copying the wp-contents subfolders back to the /blog/ directory. I assumed that the main infected file (wp-loads.php) was the only culprit. It turned out that I also had multiple php backdoors in my wp-contents directories, in /plugins, /themes, and even /uploads.

I basically had to re-download anything in plugins and themes so that I knew those directories would be fresh. I ran a command to delete anything in /uploads that was a .php file, as that was how the backdoor worked. I believe it was something like

find /path/to/uploads -name "*.php" | xargs rm

but you probably want to double check that before running it on your server.

I also noticed that some backdoors existed in the root of my web directory, where I keep my portfolio. If you have other directories besides your blog in your web root, it’s probably worthwhile to check those out.

At this point I was pretty close to having a clean WordPress install. But for some reason my site would still eventually fall to the pharma hack. I checked my server logs and it looked like someone was modifying header.php in my theme directory from the admin panel. This was pretty surprising because I thought I had my password locked down pretty tight. I am actually still not sure whether the password was compromised, or some other feature in php (or a cookie) allowed the hacker to access the admin theme editor. Either way I’m pretty sure the header.php was hacked to write a new backdoor file which would then create other backdoors. Pretty smart!

To fix this, I put another layer of security on my wp-admin directory with a .htaccess and .htpasswd file. I also updated my password to a 40 character random string that even I can’t remember. Finally, I just erased the file that does theme editing in the admin interface since I never use it and it seems like a really weak vulnerability.

So far, the pharma hack hasn’t resurfaced and it’s been about two weeks. I’m going to say that I’m slightly confident it won’t return (unless there’s another vulnerability in WordPress that pops up).

I feel like I learned quite a bit about security while playing whack-a-mole with this hack. I got to look at the backdoor files and figure out how they were hidden and obfuscated, and eventually found what I think was the root of the problem in the WordPress theme editor. I also hacked together some scripts to show recently modified files (hacked together from stuff I found doing some searches). If I end up getting hacked like this again, I’ll probably be able to remove it faster.

For a while, I was considering moving to Jekyll for my blog. But that seemed like a bit too much work moving posts and comments, and learning a new blogging system, especially for how infrequently I blog nowadays. For now, I will stick with WordPress with all of its vulnerabilities, which have hopefully been mitigated with the few extra precautions I’ve added.