Identify pharma hack using google search
If your website is a victim of this hack, you are probably known by noticing Google search results. You can check Google indexed pages by typing
You will get something like this image below.
Hackers also may inject affiliate links for promoting their product. In that case, search engine visitors will be redirected to a different spammy website.
Some WordPress pharma hack exploits
Identifying the root of a pharma hack is not so easy. Based on disclosed vulnerabilities, hackers can use different injection techniques to get what they want.
Website file modification
In these cases, attackers target vulnerable WordPress websites where file modification is possible using WordPress core, theme, or plugin vulnerability. The attacker tries to inject malicious scripts into a plugin, theme, or WordPress core file. Sometimes it remains hidden or unknown for months. Some common files we found in different cases are:
wp-content/uploads/.*php (random PHP name file)
Some piece of code we found in those files:
Malicious scripts in database
In this case, we found malicious scripts hidden into WordPress database tables. Most targeted tables are:
Some table row data found as:
wp-options > class_generic_support
wp-options > widget_generic_support
wp-options > wp_check_hash
wp-options > rss_7988287cd8f4f531c6b94fbdbc4e1caf
wp-options > rss_d77ee8bfba87fa91cd91469a5ba5abea
wp-options > rss_552afe0001e673901a9f2caebdd3141d