Pharma Hack via MM Forms Community

Early last week, we experienced several injection attacks from something known as the “pharma hack” – this is a sneaky attack on your website, which alters the Search Engine results of your website’s pages. If you are using MM Forms Pro or MM Forms Community, I strongly recommend changing your site’s forms IMMEDIATELY.

The Signs

An easy way to check whether your site has been attacked is to do a quick Google search for your own site. Check to see if any of the pages that seem have anything funky – specifically Viagra, Cialis, or Propecia related.

If you have FTP access to your site, go into the MM Forms uploads folder (/wp-content/plugins/mm-forms-community/upload/tmp) and see if there are any files there with a .php extension. The files we found were file names of 10 digits followed by ‘-auth’.

If you find these files, REMOVE THEM IMMEDIATELY, then follow these steps to clean your site.

  1. Delete the Upload folder in the MM Forms plugin directory, if you do not have any current files in there besides the PHP attack files.
  2. Deactivate MM Forms, and find an alternative contact form plugin, such as Contact Form 7 or Visual Form Builder. They both are secure and up-to-date plugins (and are better, anyways).
  3. Search your WordPress core files for any code-blocks consisting of encoded characters. The lines I found were on the first lines of wp-config.php, wp-includes/version.php, and wp-includes/compat.php. A quick way of doing this is do a site-wide search in Dreamweaver, NetBeans, or whatever you use as your IDE, for ‘\x’. WordPress has many instances of this throughout the core, but look for files that have thousands (and I mean thousands) of instances. You will most likely find the culprit there.
  4. Generate a Sitemap and re-submit it to Google. It will take several days for the hack to disappear from your Google reputation, but at least you caught the attack!

Please feel free to ask me any questions if you get stuck in this process!