[wp-hackers] Porn links in google cache

Justin W Hall justin at justinwhall.com
Fri Jul 15 16:56:10 UTC 2011

New information has come to light. At first, All things pointed to the  
Pharma Attack. I scanned the site, found many of the "base64"  
functions, eval and common strings associated with the problem. As I  
started cleaning things up, I realized that many of the potentially  
new malicious files and potentially compromised files had not been  
modified since I had installed WP and the theme it self... Hmmmmmmm,  
something doesn't add up here. I started sniffing around for other  
potential problems.

As it turns out my client had downloaded his theme from the following  
source for FREE.


This theme is a Woo network theme and once I was made aware that it  
was downloaded for free I became very suspect. I went over to woo  
themes and as I suspected it is NOT free.


I do plan on purchasing the legitimate theme from Woo Themes and  
In the mean time my question... Are rogue / spammy themes common?

On Jul 15, 2011, at 12:12 PM, Justin W Hall wrote:

> What's interesting, is when switching to User agent within Firefox,  
> I don't see the injected links?!?
> On Jul 15, 2011, at 3:07 AM, Chris Taylor - stillbreathing.co.uk  
> wrote:
>> Hi Justin,
>> I got hacked with this last year. It's a nasty one, but (touch wood)
>> my site seems OK at the moment). I wrote a short article about it  
>> with
>> some useful links:
>> http://www.stillbreathing.co.uk/2010/11/21/wordpress-pharma-hack/
>> Hope you get it sorted.
>> Chris
>> On Thu, Jul 14, 2011 at 4:20 PM, Justin W Hall <justin at justinwhall.com 
>> > wrote:
>>> Hey folks-
>>> It's been brought to my attention that when a site a recently  
>>> worked in is viewed via google cache, there is a whole list of  
>>> mostly porn related links that have been added to the bottom of  
>>> the pages that obviously do not exist on the page. My questions:
>>> 1) how does this happen? Host related malware?
>>> 2) what us the best way to go about fixing this.?
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Justin W. Hall
justin at justinwhall.com
Skype: justinwhall
cell: 803-318-4804

More information about the wp-hackers mailing list