How to Find & Fix WordPress Pharma Hack

It’s hard for any website owner to discover pharmaceutical spam. Finding bogus content for prescription drugs on a website you watched grow from a tiny blog can be heartbreaking. But don’t blame your website: it just got caught up in a bad crowd of SEO spammers.

SEO spam occurs when bad actors inject a website with keywords. Their end goal is to use an innocent site’s good reputation to lure traffic to a scam. While these attacks aren’t specific to pharmaceuticals, in 2019 the Sucuri remediation team found pharma hack content on 59% of client websites infected with SEO spam.

Why do spammers create pharma scams?

Calling pharma spam injections “scams” is not entirely accurate in the traditional sense.

The spammers may not be out to scam anyone out of money, but are instead exploiting an opportunity. Pharmaceutical prices are much higher in the U.S. than other countries, and many of these spammers are exploiting that they can resell medication they buy locally to Americans at a much lower price than obtaining through legal options.

Spammers will also target drugs that are still under U.S. patent law. The patents prevent cheaper generic options from hitting the market, so spammers will expect American customers to be on the lookout for a cheaper option.

However, don’t consider this a reason to give pharma spam sites a shot for saving money. Buying pharmaceuticals online without a doctor’s prescription in the U.S. is still illegal, and there is no guarantee the spammers won’t take your money and run.

Assessing the damage

Finding out if your WordPress site is infected with a pharma hack is simple.

Look for pharmaceutical keywords

Just head over to Google and search your site for pharmaceutical-related keywords, such as:

  • Viagra
  • Cialis
  • Nexium
  • Buy prescription drugs online
  • Buy xanax online overnight

If you find pages with content about these pharmaceuticals that you didn’t put there, then your site is infected.

But if you’re feeling a bit squeamish or embarrassed about having male enhancement drugs in your search history, we’ve got you covered.

Use a website scanner

Sucuri’s free SiteCheck tool can scan your site for all kinds of malware, and will tell you if your site has been blacklisted from the attack. Make sure to note any payloads or locations from the SiteCheck report.

Check your WordPress core files

Next, you’ll want to check your core WordPress file integrity. Because most core WordPress files should not be modified, you’ll want to make sure the attackers did not make any changes to files in the wp-admin, wp-includes, and root folders.

The easiest way to check is by installing the Sucuri plugin from the WordPress repository. It can quickly check your file integrity and compare it against the original source files. Another option is to use the diff command in the terminal. You can also manually check your files via SFTP. If no files have been modified, your core files are clean – but you’re still not out of the woods yet.

Check WordPress recently modified files

After confirming your core files, you will also want to check for any recently modified files. These modified files could be part of the attack or a backdoor for the hackers to come back and reinfect your site.

The good news is that there are a couple of methods for checking recently modified files. The Sucuri WordPress plugin’s file integrity monitoring can find and restore modified files. This makes the process much easier for novices.

But if you want to do it yourself without the plugin, you’ll need to log into your server using an FTP client or SSH terminal.

If using SSH, you can list all files modified in the last 15 days using this command:

$ find ./ -type f -mtime -15

Note: The modified/changed times can also be faked.

If using SFTP, sort by the last modified date column for all files on the server. With either method, make sure to take note of any recently modified files.

A few words of caution

Now that you know where your pharma hack is, you can start cleaning. Keep in mind that manually removing “malicious” software can be detrimental to your website’s health. For example, the removal of an injection into an existing legitimate file can cause formatting problems that prevent proper execution of the file’s code.

Do not perform any of these steps without a backup. If you’re feeling uneasy about the process, it may be best to call in a professional to assist.

Also, note that not all pharma hacks are created equal. WordPress pharma hacks can be tricky to remove at times. For example, back in 2016 our remediation team ran into what was described as an “undeletable pharma ‘doorway.’” While the doorway wasn’t literally “undeletable,” it certainly put up a fight against our malware removal professionals.

But if you have your backups and you’re ready to get your website back in shape yourself, let’s get started! We’re always here to help if you encounter any issues.

Cleaning WordPress files and databases

If you did find a pharma hack infection in your core files, you can fix it manually. Just make sure to not overwrite your wp-config.php file or wp-content folder.

First, identify any recently changed files. Confirm if the changes were legitimate with the user who made them. Restore any modified core files with copies from the official WordPress repository.

For any custom or premium files that are not in the official repository, open them in a text editor. Remove any suspicious code and then test to verify that the site is still operational after changes.

After cleaning the files, you’ll want to clean your database tables. Keep in mind that your WordPress plugins also use these tables.

Be very cautious, as these steps can break your website if improperly completed. Make sure to have a backup, test any changes, and get help if you are worried about causing any damage.

To clean the database infection, log into your database administration panel (e.g PHPMyAdmin). Search  the existing database tables for any suspicious content related to the pharma hack. Open the table with the suspicious content and manually remove it. Test the changes to verify everything is still working. If you used any database access tools like Search-Replace-DB or Adminer, make sure to remove those as well.

Unfortunately pharma spam injections in the _posts table can be tedious to manually remove. The injection may use existing post text for its hyperlink text, so it’s important to avoid inadvertently removing legitimate text during the removal process. This also further highlights the necessity of a full backup (files AND database) prior to making any modifications.

Closing the website backdoors

Now your website should be clean… but let’s keep it that way with a few more steps.

Log in to your site as an admin. Audit your site’s users and see if there are any you don’t recognize. This should include checking whether the user’s email address was modified by the attacker. If there are any suspicious users, delete them. These were likely created by the hackers for use as a backdoor.

Speaking of reinfection, hackers don’t leave just one backdoor option to get back into a compromised environment.

If you miss any backdoors on your WordPress site, you’ll get reinfected and have to start this all over again. That’s why this step is imperative to your website’s health.

Hackers try all kinds of techniques to keep backdoors undetected. One popular method is to embed them into files with the same name as core files but located in the wrong directories. Attackers can also inject backdoors into common files and directories. Backdoors often contain one or more of the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

But, much like database tables, these functions are also used legitimately by plugins. As a result, you’ll want to make sure to make backups and test everything to avoid breaking your website.

Removing WordPress malware warnings

Once your website is clean and back to normal, you’ll want to let any blacklisting authorities know. Because blacklisted websites can lose up to 95% of organic traffic, not doing this can cause damage to your site’s reputation and revenue.

You’ll need to contact any of the blacklisting authorities with some general information on your cleanup process. Blacklisting authorities include Google Search Console, McAfee SiteAdvisor, and Yandex Webmaster.

Keep in mind that it may take a few weeks for the blacklist to be removed. For users of the Sucuri Website Security Platform, we can submit blacklist review requests on your behalf.

Conclusion

Pharma hacks are an unfortunate reality for WordPress website owners. Bad actors are always looking for new websites to infect with this attack and other forms of malware. As a result, anyone with a website needs to keep security as top of mind.

With the increased amount of attacks, it’s understandable to feel overwhelmed.

You don’t have to go at it alone. Sucuri can help you keep your website safe from pharma hacks. Our web application firewall (WAF) and platform plans can protect your WordPress sites from pharma hacks and other attacks.


*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Justin Channell. Read the original post at: https://blog.sucuri.net/2020/06/find-fix-wordpress-pharma-hack.html