Restoring a Pharma Hacked WordPress Site (WP 3.4)

I’ve been working on my Professor K’s blog and found that it had been hacked. It was kind of strange how I found that it was hacked; while trying to install a new plugin through the backend, the plugin window that pops up was filled with weird pharmacy links and images. I thought that was strange, so I searched the ends of the internet for answers. It is apparently a well-known and common exploit called the Pharma Hack.  One of the best ways to see if you have been hacked is to run the Sucuri Sitecheck scan on it. It’s free and will show you what pages are currently hacked.

There are lots of how-tos and guides online, but most of them are outdated. The pharma hack has evolved (1,2,3).

I first tried to fix the issue by searching my wordpress directory for offending files, usually containing the string “base64_decode”. I used the following command in the wordpress directory

$ grep -o -H -n -r "base64_decode" .

There were several files that did not appear to be real wordpress files, so I completely replaced the wp-includes directory with the code from the latest WordPress release.  This didn’t help.

I installed the Wordfence plugin. It’s a fantastic plugin and does well at finding malicious files, however it appears that the pharma hack removes the plugin entirely! It is still very helpful at finding affected files.

After the malicious files kept coming back, I continued by hardening my wordpress installation. The hack returned.

Desperate, I completely reinstalled the website from scratch, using the same database, copying back the uploads file (which contained no php code), reinstalling the plugins from wordpress directly, and using only the default themes plus my clean child theme.  The hack returned!

Today I am looking at the files that Wordfence found either unrecognized, modified core files or malicious:

  • wp-admin/includes/class-sftp.php
  • wp-includes/native.php
  • wp-includes/class-wp-error.php
  • wp-includes/legacy.php

It looks like the modified core file, class-wp-error.php, is what the hackers use to bootstrap their exploit, because the only difference between the clean file and the compromised file is this single line:

/@require_once ('native.php');

native.php is an injected file and is full of obfuscated code.

The code is so obfuscated in fact that I can’t really follow how the other files relate, except that legacy.php seems to be what grabs the pharma code.

What I did is, in order,

  1. Restore class-wp-error.php and chmod it to 444 (not sure if that will help protect it but worth a shot)
  2. Deleted the other files Wordfence found
  3. Ran another Wordfence scan to make sure they’re all gone and clean
  4. Hardened my site again
  5. Removed FTP access and changed the SSH/SFTP password
  6. Installed Better WP Security (known to play well with Wordfence)
  7. Reinstalled all my plugins (to be safe)
  8. Wait

I have a bad feeling that the site is still hacked and it’s only a matter of time before those malicious files appear again. I’ll update this if the site is still hacked.

Update 6/25/2012: 

The site appears to be clean. I’ve uploaded copies of the 4 files that were marked as malicious or unkown here. It’s a .docx because wordpress.com limits the filetypes.