

Show HN: Wordpress "Pharma Hack" Analysis - arianb
https://bitbucket.org/arianb/pharmahack/src

======
JoachimSchipper
From decoded.php, for context:

    
    
        /**
         * ===WORDPRESS PHARMA HACK ANALYSIS===========================================
         * ============================================================================
         *
         * Patrick Adair [ patrick AT ionpublications DOT com ]
         * 
         * For the uninitiated, there's been a rather-nasty hack making its way across 
         * a number of prominent websites hosted with Wordpress called the "pharma 
         * hack"; named so because it hijacks your search results in Google, et al. to 
         * show obviously-spoofed results for Viagra and other generic medications 
         * that we see spammed all the time across the internet.
         *
         * As you, the reader, can rightly imagine, Wordpress blog owners were scared 
         * out of their minds and worked quickly to remove the hacks from their sites, 
         * finding the necessary codes sometimes hidden deep inside of their plugins 
         * and striking only when search engines and automated crawlers of any kind 
         * hit the site.
         *
         * On the 24th of November, 2010, we noticed that one of our sites, Science 
         * and Supermodels [ http://www.scienceandsupermodels.com ] was hit by the 
         * hack, and after a few times of playing cat-and-mouse with it (delete the 
         * injected code only to have it re-appear in the same place 30 minutes later), 
         * we were able to remove it entirely and all was well.
         *
         * But I had an interesting idea. To my knowledge, at the time of this writing, 
         * all of the accumulated knowledge on this hack was simply removal techniques 
         * for non-technical users (which, admittedly, is most of Wordpress' userbase 
         * so far as I can tell - the consequences of making it so gorramn easy to 
         * install). I decided that it would make an interesting project to break apart 
         * and analyze the injected code to try and figure out what it was doing, and 
         * see if any good can come of that.
         *
         * Fast forward to 24 hours ago (December 20, 2010), and I've finally cleared 
         * up enough time to start meaningfully decoding and rewriting this script, and 
         * I hope that something useful will come of this - perhaps a security company 
         * can pick up on the groundwork I've laid here and figure out how to actually 
         * stop the bastards doing this.
         * 
         * What follows is a SIGNIFICANTLY re-written version of the script, edited for 
         * clarity and also to test my programming chops - the original was compressed, 
         * encoded in base64, and even then written in an absolutely incomprehensible 
         * fashion.
         *
         * I've tried to include as much information as I can - since the control 
         * servers are still active for this hack (at least at the time of this 
         * writing), I was able to get pretty accurate debugging and data on what its 
         * delivery method was, and those will all be included in my Mercurial repo
         * along with this file.
         *
         * Also, this is based off of only the version of the hack that our site got - 
         * it remains entirely possible that other mutations of the hack exist and I 
         * would be curious to see what they look like / do. If you have other samples 
         * of the code, please email them to me and I would love to see.
         *
         * So without further ado, I present the Wordpress Pharma Hack:
         *
         */

