The basic idea of the attack is to show different content depending on who is viewing it. Usually a website infected by a Pharmacy Hack will look normal when users visit the site. However when someone enters the site from a search engine, they will see ads for Viagra or similar (pharmacy) products in the result summary.
This is used to boost the hackers’ PageRank, and in turn, revenue. It results in a decrease of the attacked sites reliability and SEO. A decrease in SEO will make it harder for visitors to find your website. If the attacker chooses to inject dangerous code in the target webpage, the website can also become banned from certain search engines. In other words, it’s really bad for you as a site-owner.
How can I find out if my site is affected by the Pharmacy hack?
Try a Google search for:
If you find anything, chances are your site is infected (unless you actually sell one of these products).
I am infected! What should I do?
Pharmacy hack can be pretty hard to remove since the hacker could place it pretty much anywhere in your code. A good method of finding where the hacker put the infected code is to sort your files by modified date and look at the ones that were changed recently.
Hackers usually put the code in .htaccess files and your index page but as stated above, they could put it pretty much anywhere. Searching your code for “Viagra” will most likely not find the infected parts since the attackers usually obfuscate the injected code. A popular method on sites running PHP is to encode the injection with base64 and run eval after decoding it.
Example when encoded:
In this example the script identifies Google by checking the HTTP User-Agent.
The file “evil_hacker_file.php” will be rendered whenever Google visits the site, but not when a regular user browses. In order to find obfuscated code I would recommend using Grep.If you’re using windows you could try WinGrep instead.
Using Grep you could try the following command to scan your code for obfuscated code. Please change “/path/to/code” with the path to the code you want to scan.
Credits to pentestlab.org for compiling the original list of commands.
This tells us that the function base64_decode is used in the file TCPDF/tcpdf.php on row 8555. Try to spot uses of the functions that stand out and look weird, not all uses of the functions are a sign of a hacker. The example above is an example of the function being used legitimately.
My second example however does not look legitimate and should be investigated further. More specifically you need to investigate what the variable $code is defined as.
Continue doing this process by running all the commands and analyze the result and you should be able to remove the Pharmacy Hack.
Author: David Hallenius