No it is not when you get attacked by a marauding Pharmacy :)
So what is it?
So what is it?
Its a website hack which first originated in Wordpress sites, it involves malicious users hijacking google search results for the site, which in turn they redirect to different sites which sell different pharmaceuticals products such as Viagra.
The hack...
The hacker would modify existing pages to execute code in other pages, these code snippets in turn would translate to links to third-party websites pushing various pharmaceuticals.
Unfortunately it is quite likely the owner or the users of the site would likely never know that these links are being exposed because the attack targets only certain search engine spiders such as google bots.
Effectively meaning that these results would be posted on the search engine’s results for the site (e.g. Google).
How do they get in?
Unfortunately it is quite likely the owner or the users of the site would likely never know that these links are being exposed because the attack targets only certain search engine spiders such as google bots.
Effectively meaning that these results would be posted on the search engine’s results for the site (e.g. Google).
How do they get in?
The most usual point of entry is a hacked FTP account or a script vulnerability in the content management system.
The fix...
The fix...
- Check .htaccess and .bootstrap files; for suspicious redirects / executions
- Check PHP files for suspicious references to "eval()" or "base64_decode()" or "create_function()"
Prevention is better than cure...
- Always make sure to use WiFi hotspots that have a password as this ensures that your communication is encrypted and cannot be intercepted and used by a malicious user.
- Do not use the FTP account over an unsecure FTP protocol. Only use with secure transmission over SSH File Transfer Protocol that hides (encrypts) the username and password, and encrypts the content.
- Keep your CMS installations upto date with the latest versions, this ensures that hackers cannot make use of vulnerabilities in older versions of the CMS.
- Several CMS modules need constant upgrades to eliminate security vulnerabilities.
- Keep weekly backups of the code repository and of the database.
- Change all Administrator passwords, database password and FTP passwords periodically.
- Monitor server logs for the site for search engines links crawled by the search engine which look suspiciousMonitor server logs for the site for search engines links crawled by the search engine which look suspicious.
- Maintain a backup copy of the entire CMS installation and run a Code Diff periodically to ascertain that no files have been changed.
- Check PHP files for suspicious references to "eval()" or "base64_decode()" or "create_function()".
References:
- http://hashable.org/2011/09/wordpress-pharmaceutical-attack/
- http://stackoverflow.com/questions/3462473/php-evalgzinflatebase64-decode-hack-how-to-prevent-it-from-occurring-a
- http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
- http://digwp.com/2010/07/wordpress-security-lockdown/
No comments:
Post a Comment