The Pharma Hack and Fallout
I may have inadvertently set the access parameters to deny access to all but my own IP Addresses last night, so you may have found this site to be “forbidden” over the past 12 hours. I was following a security suggestion on a site with follow-up advice for cleaning up after the Pharma hack, and it may have locked everyone outside of my own IP address out of the site. Hopefully we’re back on now.
Here’s what happened. Apparently, the spammers have taken things to the next level. First, it was trackback spam–spammers pretending like they were referring to poasts posts on my site in hopes of getting their sited link on a “top ten trackback” list. IIRC, they were the main reason people stopped using those lists. Next, it was spam comments filled with links to their spam sites, including attempts to get smarter with contextual spam. That got fought off with spam filters. After that, it was referral spam, in which they pretended to refer people to my site via links on theirs, thus making the top-referrer lists (again making such lists unpopular). Then it was splogs, stealing content from genuine sites to attract attention to their own. Then a resurgence of comment spam which forced me to change platforms.
For the past few years, though, everything was fairly quiet on the spam front; comment spam was controlled by Akismet, trackbacks are long history, and I stopped caring much about referral stats or splogs.
And then Matthew noted in the comments that something was weird about my site on Google.
If you do a Google search for “BlogD,” he pointed out, my site came up–but instead of reading as normal, it seemed instead to be a site selling drugs. The Google result made even the name of my blog seem like a spam banner, and the content full of pharma ads. Now, if you clicked on the link to my actual blog, you’d be taken here, which would be perfectly normal. But if you clicked on the cached site, you’d see something like this:
That’s not just for the plain “BlogD” search, but for a search for any content on my site–the above result was from a search for “ Softbank iPhone 4,” for which I am high on Google’s results. In short, it seems that most if not all of my listings on Google are currently like this, and I’ll have to wait for the crap to cycle out.
The weird thing is, my actual site is completely unaffected, at least on the surface. But it is as if Google is seeing an alternate-universe version of my site, choked with spam. Interestingly, in the cached site on Google, most links are normal and point back to my site. Even added links–a “Similar Posts” list, which doesn’t exist on my site but is added to the cached page, links back to my site despite the link tags being spammy–but they also added a “Trackbacks” listing, and that’s where you’ll find loads of their links, and the reason they did what they did.
So, what did they do? Apparently, they hacked my site, in what is being called the Pharma Hack or the Google Cloaking Hack, in which the spammers somehow gain access to your WordPress blog (likely through a vulnerability in a plug-in or the blog software itself, I haven’t found anyone who knows how it works yet), and essentially take it over. They hide their code in various files throughout your site, inject code into your database, and then they have their way.
The clever part of it is that on the surface, your blog looks normal–and you won’t know anything is happening until you do a Google search. The hack leaves your site apparently untouched, a smart move as outward changes would prompt immediate corrective action. But you have to remember, the spammers are not as much interested in your site as they are in the Google Juice that it can generate for them. And that’s what this hack is primed to do: harvest all your Google Juice and redirect it to the spammers.
Even as the site looks perfectly normal to you and everyone who visits, when Google’s crawlers come to your site, somehow the hacked parts of your blog make Google see only a heavily spammed version of your site–what shows up in Google’s cache, as shown above.
So in response, I followed the laundry list of advice on the sites reporting it–updated all my software, deleted all plug-ins and reinstalled only a few, checked my database and deleted the hacked portions, as well as a half-dozen other things.
One of them, unfortunately, was an attempt to restrict control of the site via access files, which inadvertently seems to have shut down the site to anyone but myself. I caught this when Ken reported my site down, and corrected it, which should be evident if you’re reading this post.
Alas, the hack often leaves bits of itself in places hard to find, so I will have to keep watching the database to see if re-infection occurs. So far, the hack does not seem to be destructive in nature, just parasitic. But it may be a while before I can feel somewhat confident that the site is clean.
What worries me is what will come next. Trackback, comments, referral, splogs, comments again, and now site hacking. I have to figure it will only keep ramping up.
Just want to say that I read your blog with Google Reader most of the time (pictures don’t come through). I noticed the Pharma Hack too. It looks like you have fixed it for now. Good luck in keeping them fended off.
I thought my government computer software was just being overly restrictive when I couldn’t get to your site. Glad you’re back with your “poasts” again.
Oops! Corrected. I dashed that one out fairly quick and didn’t proofread like I usually do. Too much work today…
Well, the argument works the other way around, too. Cloak Url
The good news is that it appears the hack was in effect for no more than two or three days. If you do a Google search just of the site ( site:www.blogd.com/wp/ ), then stuff cached before October 25th is untouched–only the 26th and onward. Hopefully, Google will come back and re-cache the site.
Anyone know a way to initiate such a thing?
One unfortunate result of the Pharma hack: my Google standings have been decimated. You tend to earn standings in Google after a long time, building slowly, slowly, and I was up where I had been after years of building. The Pharma hack hit me–and now my site traffic is 1/3 or 1/4 of what it used to be. And it looks like it will take months, maybe much longer, perhaps even more than a year, to build my status back up again.
I was hit with a Pharma attack. Google: site:yourbasiccomputer.com . I went into webmaster tools last week and set to have the urls removed, however, I’ve yet to see the results in Google. I own about 30 domains, have studied SEO for years and do well with it, though I need to focus on my own sites rather than customers. The files were .php and base64 encoded. I wrote a simple script to unencode them and one of them, after unencoded was compressed so I uncompressed it and found some info. I did find an IP address within one of the pages and researched some, it pointed to swiftway.net, and trying to get to the IP, the site was down due to abuse or something.
The pharma companies love this crap, as well security sites. In the dark, they probably pay the spammers, as well so does Norton, as it keeps their economy going. It is a shame, people are so selfish and insecure, they’re driven by money which they use to buy material crap to cover up their insecurities. Spam is a product of capitalism?
Anyway, glad you’re back online, I found the site tonight. I’ll check back and update you with what I come up with. Would be nice to track these people down and sue them or something, take some of the money they earn by leeching off others. Or perhaps send them into outterspace with nothing but viagra and sandpaper.