WordPress Pharma hack removal instructions

these are notes to self compiled with help from greg. not guaranteed to work for others. proceed with caution!

Starting from this:
http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

– —

1. back up the database and uploads folder, and your theme folder, and scrap everything else (wordpress core files and plugins).

(copy whole wordpress folder to “mywordpressfolder.pharma” for example – you can always retrieve files you need from this folder later)

(backup database via myphpadmin to desktop)

delete original wordpress install folder.

– – –

2. run those SQL commands on the infected database:

delete from wp_options where option_name = ‘class_generic_support’;
delete from wp_options where option_name = ‘widget_generic_support’;
delete from wp_options where option_name = ‘fwp’;
delete from wp_options where option_name = ‘wp_check_hash’;
delete from wp_options where option_name = ‘ftp_credentials’;
delete from wp_options where option_name = ‘rss_7988287cd8f4f531c6b94fbdbc4e1caf’;
delete from wp_options where option_name = ‘rss_d77ee8bfba87fa91cd91469a5ba5abea’;
delete from wp_options where option_name = ‘rss_552afe0001e673901a9f2caebdd3141d’;

(make sure the quotation marks are “raw” quote marks (unformatted, not “smart”)

when inside phpmyadmin, hit the “SQL” tab and cut and paste the above code within the “run SQL query on database”

– – –

3. check the uploads folder for bad files

using the terminal (ssh shell)

cd wp-content
find uploads/ -name *php -delete

– – –

4. reinstall latest wordpress and plugins from scratch

using dreamhost one click installer, put new wordpress install where the old one used to be
point the database to your old database

however, dreamhost thinks you’re making a brand new blog, so gives a new database table prefix to this new install. it also makes the new wp-config.php file point to these new database tables.

so, you need to edit your wp-config file to set the database prefix to be wp_ (ie, the old database tables prefix)

now in phpmyadmin, delete the new database tables which dreamhost created:
(select them and then click “with selected” and then “drop” (in sql, drop means delete table)

– – –

5. Move the cleaned uploads, and theme folders to their normal place

(move them from mywordpress.pharma to the clean mywordpress folder)

in terminal:

cd ~/mydomain.com

mv mywordpress.pharma/wp-content/themes mywordpress/wp-content/

and also:

mv mywordpress.pharma/wp-content/uploads mywordpress/wp-content/

6. check it all works! If so, then move to next step…

7. Delete the mywordpress.pharma folder:

rm -rf ~/mydomain.com/mywordpress.pharma

2 thoughts on “WordPress Pharma hack removal instructions

  1. Jacque

    My best source for fixes to the pharma hack is http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php — the instructions there are roughly parallel to what you’ve noted here, with some differences. I note two here:
    1) in step 2, pearsonified suggests looking for all option_names starting with rss_ EXCEPT for a few that are needed by the application: “language” “use_excerpt” and “excerpt_length”.
    2) in step 3 above, there are some additional bogus files to search for (see pearsonified’s step one).
    Good luck, and thanks for publishing your notes, hopefully it will help others. I will be examining my site to see if some of your steps will improve my process. Right now I find that every couple of months I’ve been re-infected, so there’s a hole somewhere . . .

    Reply
    1. Lucas Post author

      thanks Jacque. I’ll pass this on to my friend Greg who helped me, and I’ll definitely follow your tips when I muck out the next site I need to fix. There are a few!

      I did see the pearsonified post, but it was too complex for me to follow, which is why i decided to make my own instruction manual after getting instructions from Greg.

      If you find out what the hole is in your own site that keeps you getting re-infected, do let me know. It’s a real time waster isn’t it?

      cheers
      Lucas

      Reply

Leave a Reply to Jacque Cancel reply

Your email address will not be published. Required fields are marked *