I've Been Hacked! WordPress Pharma Hack - Ideas? Anyone Else Hit? | Help Desk | Yakezie Forums

Hi Team,

I did a little exchange on Twitter and have some initial work done on this, but long story short, multiple sites of mine now have google searches redirecting to scammy online pharma websites.  I've seen some pretty comprehensive articles out there with dozens of steps and hours/days of work to resolve (and many readers reporting back in that even after undertaking all the tasks, the malicious code reappears days later).  Anyway, I suspect this came from Dreamhost since it hit 3 sites at the same time which have different passwords, etc. but of course they're playing dumb.  Interested if any of you have heard of this one or have any other quick fixes other than scouring thousands of files, deleting all plugins/reinstalling, etc.  It's a real PIA and nasty coding but apparently people have been hit with this for the past year or two; just made its way to a few of my sites.

Example – google this: Where Can I Get Free Hydrochlorothiazide 75 Mg

You'll see my cad-sourcing and darwinsmoney sites come up first page.

tx!

Sorry to hear this happened to you. Gosh this seems to be happening more and more. I would also recommend Jesse. He is a great help with stuff like this.

my computer actually was infected with a virus where all of the google search clicks were redirected to a spammy site. I just used malwarebytes to remove the virus and it's all good now. not sure if this is what you're referring to or if it's something completely different.

Holycrap… when did you first detect this? Good suggestion from Andrea; I have renamed the admin account on most of my sites and I also have a captcha on the login form.

Wow, I had no idea this can happen. Thanks for the tip to Andrea as well, nasty. Hope you get it all cleaned up

Post edited 9:35 am – January 2, 2012 by BeforeYouInvest

I got hit with that a while back and it was NASTY.  If you don't catch it the first day it keeps building and building until every other word is some kind of ED drug… NOT good!

I started using a site called Code Garage that backs up your site daily and checks for hacks/downtime and alerts you if there is one.  Its $15 a month but well worth it in the long run… if you have ever tried to clean one of these up you know what I mean!

Anyway if you guys sign up use this link here (it's an affiliate link … if you don't feel like using it just go to the site directly but theres no $ diff for you.)

sooverdebt said:

Slight tangent here, but I would advise everyone to add an administrator login other than "admin" and delete the admin account. Awhile back Pat Flynn suggested a plugin called Limited Login Attempts, which I use – yesterday there were 13 separate IP addresses trying to login as admin on my site. If they can't figure out your login, it's harder for them to use password cracking software to get into your Wordpress account. Just a tip! :)

Great tip!  Stupid me…  I still use admin.  Changing it now.  Thanks,

Resolved!

So, I spent a few days trying to figure it out myself.  As detailed and seemingly "expert" as the posts were at Pearsonified.com and several other outlets, every approach was different, they were very involved and the ones I tried didn't work.  Next, I paid my web design guy I use in India for a couple days of work searching out malicious code, switching out plugins, blah blah blah. He found a few things but didn't get it all.  Same ole' Cialis and Levitra redirects.

Finally, I looked into just paying a firm that specializes in this and I should have done it from day one.  I had 3 sites impacted in total and all have seen SEO impacted.  One was de-indexed from google completely and I've had to submit a request to re-index which could take weeks for them to even look at.  The firm was Sucuri and they fixed it in an hour (affil link but same cost to you if you check them out).  Basically for a mere $89 they do a single site and I signed up for the multi-site for $189.  They have an automated method.  I just gave them my FTP password and boom – done.  I went back and checked a few html viewers and googlebot tests and they all come back as negative for spam now.  Granted, google is still showing some results because it takes days or weeks for them to completely re-index, but real-time checks confirm all the malicious code is gone.

I had some generous offers from fellow yakezie and others to look into it, but if it's something you've never dealt with before, it may have been days/weeks figuring it out whereas these guys wrapped it up instantly for a completely reasonable sum (I would have paid much more, especially for the site that was de-indexed!).

Anyway, check out Sucuri for a quick fix if you get the pharma hack or other malicious code, I highly recommend them.  Oh, and by the way, I get their service for free for the next year if it were to rear its ugly head again somehow.

Post edited 4:33 am – January 11, 2012 by Invest It Wisely

Sorry, dp