Decoding the Unusual Wordpress "Pharma Hack"

Every now and again, something happens that makes you want to shake someone's hand and then take a hatchet to their throat - and there's a good chance that a number of these occurrences will be in computer science. Recently, I ran into one of these situations and I'd like to take a few moments to write about it here, since I think it will be of at least cursory interest to some of the readers here.

About a month ago, Science and Supermodels was hacked. Considering that I occasionally work on that site and it's a nice funny place to read about awesome science, I had to figure out what the hell was going on. Everything looked ok for the most part, but our Google Search results were all out of whack. Since I forgot to take a screenshot, you'll have to take my word for it that Science and Supermodels should at no times show up with the words "viagra" or "prednisone" in its search results.

Not Pictured: Awesome science.

What we discovered (after a couple of hours of finding and erasing the offending code, only to have it replaced) was the Wordpress "Pharma Hack", which has apparently been making the rounds around a lot of self-hosted Wordpress blogs on the internet. In a nutshell, it hijacks the blog so that normal browser users see the page they asked for, but search engines and other bots are given bogus content from the hack's control servers.

How did it get on the site? Simply put, we don't know - could have been bad passwords or a Wordpress vulnerability or a million other things. Still working on how that worked, but it's not quite as important as what it's actually doing under the hood.

Nobody seems to be interested in actually looking at the source code of this - all the blogs other than mine have been on diagnosing and removing it - but I decided that it would be awesome to decompress, unencrypt, and rewrite the thing to figure out just what the hell is going on with it.

So I just pissed away 27 hours of my life reading and analyzing brilliantly crappy code written by what I presume are some German or Russian guys (based off of where their servers are located). This is how you know I'm a nerd, if it wasn't painfully evident already.

It would take ages to re-compose my thoughts on it here, so I'll leave you with a link to the source repository I've created with the decoded files and some sample information from the control servers. If you're technically inclined, and want an interesting read, I highly recommend perusing it. It's in fairly-readable PHP (I hope).

Bitbucket Repository for Pharma Hack

Excuse me - while you read that, I'll be sharpening my hatchet.

Related articles

Comments

Know Science And Want To Write?

Donate or Buy SWAG