[wp-hackers] Pharma hack

Steve Taylor steve at sltaylor.co.uk
Sat Sep 28 08:09:51 UTC 2013

A site I run just got hit by the "pharma hack". There was a common.php and
a /coockies/ directory in the root, and a modification to .htaccess
rerouting all search bots to common.php - encoded but obviously stuffed
with spam keywords, which were appearing in Google's index.

I've cleaned up and all seems fine now, but obviously it'd be good to
identify the point of entry and be sure.

The site has always had an up-to-date core, with minor delays (I think a
week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
as far as I could tell none of the upgrades involved serious security

The guy who hosts the site (not my choice) says he's 99% certain WP was the
issue, but this seems unlikely to me. He doesn't seem terribly
knowledgeable about security. I can't be 100% there wasn't some odd hole in
my WP installation, but obviously I suspect a server vulnerability -
leaving us pointing the finger at each other.

Personally I would move hosts, but this isn't my decision. Just wondering
what people here thought, and if anyone heard of recent vulnerabilities to
this hack in relatively up-to-date WP installations. Also, what concrete
analysis of the situation should be the bare minimum expected of a host?



More information about the wp-hackers mailing list