contadores de paginas web Saltar al contenido

Cleaning up a WordPress blog infected by Pharma Hack by @Fedelosa

fedelosa en google infectado

The following article is a collaboration of my friend @fedelosa, written especially for SpamLoco. His blog was infected with a cloaking technique and he tells us first hand how to look for malicious codes and clean the site.

A few days ago they told me on Twitter that was appearing in Google's results as a compromised site, as soon as I finished fucking: P I started to check what was happening, I entered the blog and it looks good, I checked the Source code from several different pages and the main page, and there was no malicious code there, so I let it go.

The next day, I have no idea why, it occurred to me to search my blog on Google, only putting fedelosa appears as the first result, and there was the surprise to find something like this:

I went back to check the site and still nothing appeared, and my nerves were manyHow could that appear in search results if it was not in my site code? Investigating for a while I find that there is the possibility of altering the results without modifying anything that is seen on the blog, in this case a WordPress blog.

How do they do it?

Although there may be other ways that I am not aware of, in my case the problem was housed in an .php file of an old plugin that I was no longer using but had never deleted, or even disabled, the code in that php made a call to the database data and this, in some way that I do not understand, managed to show the search engines something different from what was actually on the site.

How to fix it?

The Pharma Hack, as it is called the BlackHat SEO SPAM that affected my site, resides both in some .php (or .js) file and in the database, many sites recommend deleting the entire WordPress installation, including the database. and start from scratch, but since I thought it was a lot of work, I did something else, delete the hidden code in a file and clean the database.

To clean the database you have to enter the phpMyAdmin, choose the corresponding database with our blog in the left column (if we do not know which one it is, we can look at the wp-config.php file), then we must choose the wp-options table and then go to the Search tab, all in the option_name row.

We seek the following:

  • wp_check_hash
  • class_generic_support
  • widget_generic_support
  • ftp_credentials
  • fwp
  • rss_% In this case, we must be careful not to delete the rss_language, neither him rss_use_excerpt neither does he rss_excerpt_lenght

And we delete everything that matches those searches, with this we will have the database clean, now we have to go for the .php files, which of course, are many and more if we have several plugins, so which file should I check?

I have no idea! In my case the Pharma Hack was hosted in a different file than the various sites check, so the ideal then is to do a text search to see where we found it.

If we have SSH access to the server, we can use the command grep to find text strings like this:

$ grep -r wp_class_support ./wp-content/plugins

If we find things like:

if (! defined (wp_class_support)) {

define (wp_class_support, true);

We must make sure to delete those files.

It remains to wait until Google wants us again, to accelerate this process, having the site already registered and verified in the Google Webmaster Tools, we must request a reconsideration

An interesting tool to see if our site is infected and then verify that it has been cleaned is, Explore like Google, part of the Webmaster Tools:

There we can see how Google sees our site, this is how my site appeared for the search engine a few days ago:

After removing Pharma Hack from the database and the infected plugin, we can look again and the code should already look clean.

It only remains to take the necessary precautions so that this does not happen, change passwords, change the SALT keys in the wp-config.php, uninstall plugins and themes that we do not use, etc.

More information:

Understanding and cleaning the Pharma hack on WordPresshttp: //

How to Diagnose and Remove the WordPress Pharma Hackhttp: //

Author: Federico Lorenzo (@fedelosa)