[wp-hackers] Pharma hack

Simon Vart simon.vart at exigences.biz
Sat Sep 28 09:53:22 UTC 2013

Did you check webserver logs ? You will pages accessed.
Check creation date of common.php and /cookies/ directory and it will tell
you when to look around
Le 28 sept. 2013 10:09, "Steve Taylor" <steve at sltaylor.co.uk> a écrit :

> A site I run just got hit by the "pharma hack". There was a common.php and
> a /coockies/ directory in the root, and a modification to .htaccess
> rerouting all search bots to common.php - encoded but obviously stuffed
> with spam keywords, which were appearing in Google's index.
> I've cleaned up and all seems fine now, but obviously it'd be good to
> identify the point of entry and be sure.
> The site has always had an up-to-date core, with minor delays (I think a
> week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
> as far as I could tell none of the upgrades involved serious security
> patches.
> The guy who hosts the site (not my choice) says he's 99% certain WP was the
> issue, but this seems unlikely to me. He doesn't seem terribly
> knowledgeable about security. I can't be 100% there wasn't some odd hole in
> my WP installation, but obviously I suspect a server vulnerability -
> leaving us pointing the finger at each other.
> Personally I would move hosts, but this isn't my decision. Just wondering
> what people here thought, and if anyone heard of recent vulnerabilities to
> this hack in relatively up-to-date WP installations. Also, what concrete
> analysis of the situation should be the bare minimum expected of a host?
> Cheers,
> Steve
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list