Show HN: Wordpress "Pharma Hack" Analysis
bitbucket.orgFrom decoded.php, for context:
/**
* ===WORDPRESS PHARMA HACK ANALYSIS===========================================
* ============================================================================
*
* Patrick Adair [ patrick AT ionpublications DOT com ]
*
* For the uninitiated, there's been a rather-nasty hack making its way across
* a number of prominent websites hosted with Wordpress called the "pharma
* hack"; named so because it hijacks your search results in Google, et al. to
* show obviously-spoofed results for Viagra and other generic medications
* that we see spammed all the time across the internet.
*
* As you, the reader, can rightly imagine, Wordpress blog owners were scared
* out of their minds and worked quickly to remove the hacks from their sites,
* finding the necessary codes sometimes hidden deep inside of their plugins
* and striking only when search engines and automated crawlers of any kind
* hit the site.
*
* On the 24th of November, 2010, we noticed that one of our sites, Science
* and Supermodels [ http://www.scienceandsupermodels.com ] was hit by the
* hack, and after a few times of playing cat-and-mouse with it (delete the
* injected code only to have it re-appear in the same place 30 minutes later),
* we were able to remove it entirely and all was well.
*
* But I had an interesting idea. To my knowledge, at the time of this writing,
* all of the accumulated knowledge on this hack was simply removal techniques
* for non-technical users (which, admittedly, is most of Wordpress' userbase
* so far as I can tell - the consequences of making it so gorramn easy to
* install). I decided that it would make an interesting project to break apart
* and analyze the injected code to try and figure out what it was doing, and
* see if any good can come of that.
*
* Fast forward to 24 hours ago (December 20, 2010), and I've finally cleared
* up enough time to start meaningfully decoding and rewriting this script, and
* I hope that something useful will come of this - perhaps a security company
* can pick up on the groundwork I've laid here and figure out how to actually
* stop the bastards doing this.
*
* What follows is a SIGNIFICANTLY re-written version of the script, edited for
* clarity and also to test my programming chops - the original was compressed,
* encoded in base64, and even then written in an absolutely incomprehensible
* fashion.
*
* I've tried to include as much information as I can - since the control
* servers are still active for this hack (at least at the time of this
* writing), I was able to get pretty accurate debugging and data on what its
* delivery method was, and those will all be included in my Mercurial repo
* along with this file.
*
* Also, this is based off of only the version of the hack that our site got -
* it remains entirely possible that other mutations of the hack exist and I
* would be curious to see what they look like / do. If you have other samples
* of the code, please email them to me and I would love to see.
*
* So without further ado, I present the Wordpress Pharma Hack:
*
*/