PHARMA HACK REPORT

What is the Pharma Hack ?

The Pharma hack, is a type of malicious search engine ranking boosting technique that takes advantage of vulnerabilities in mostly (but not limited to) WordPress or Joomla websites. It’s goal is to make pharmaceutical sites appear higher in Google results than they otherwise would. The Google search engine ranks the list of hits for a given Web site according to (among other factors) the number of external sites that link to it. By inserting the rogue code into an unsuspecting victim’s site, the hack in effect links that site to the cracker’s site. If done on a large enough scale, this tactic can result in the cracker’s Web site showing up near the tops of various hit lists resulting from keyword-based searches.

The hack can be difficult to detect because it does not affect the displayed pages of the compromised Web site or blog. So the spam (generally about Viagra, Cialis, etc) only shows up if the user is a search crawler (GoogleBot, etc) or the user is approaching the users site from a search result. Because of this behavior, many sites have been compromised for months with those spam keywords and the website owner is blissfully unaware

Diagnosis:1. By doing a search for : "site:www.exetermedicalcenter.com

drugs"

As you can see those results does not belong to our website at all , If you click on any of those links from the Google's search results it will redirect you to the infected Pharma page like this one:

By Clicking on the logo at the Top left corner ( Canadian Health&Care Mall ) It will

redirect you to the hacker's pharma website which is 365-pills.com

By analyzing this website 365-pills.com:

http://www.scamadviser.com/check-website/365-pills.com

I found out the following:

The website owner could be directly responsible for this or he could have hired a hacker to do this job for him.

2. Digging in the Website Code

view-source:http://www.exetermedicalcenter.com/

You can find the hacked links in the source code for example at the bottom of the source code:

The Infected link is : http://rxreviews.org/topills.com/

This is just an example to demonstrate , I believe there are so many links in the source code of each page.

3. By checking www.browseo.nethttp://www.browseo.net/?url=http%3A%2F%2Fwww.exetermedicalcenter.com%2F

at the end of the report you will find the following cloaked links:

Example of the infected links:

http://www.commoner.org.uk/?p=2139

http://www.groupatwork.com/english/?page_id=2048

http://www.csdit.com/?news=1165

4. Cloak-Detection Results

http://www.browseo.net/browseo/fraud?url=http%3A%2F%2Fwww.exetermedicalcenter.com%2F

The results shows " Attention! Cloaking attempt detected... " , which means that there are cloaked links in the website's theme source

You can see the Hidden links at the bottom of the page ( The green part )

The Negative Impact of the Pharma Hack:

Because Web site owners cannot readily see when they have been pharma hacked, the online reputation of a legitimate company or individual can be seriously damaged before the rogue code can be removed. Victims of this hack will have decreased traffic to their sites and, in some cases, removal of their sites by Google from search result lists.

Hidden cloaked links

Hidden links and malicious code can:

1. Grind the website to a halt. Whether they're designed to pull traffic elsewhere, simply redirect your users, or execute bad code, hidden links consume bandwidth and other resources. This can slow down or even crash the website - and every minute your site is down or compromised is a minute you're losing credibility and customers.

2. Hurt the Marketing, destroy credibility, and knock the site down in search engine results. Hidden links can get you in deep trouble with Google, as Google forbids the use of any hidden content. And since those hidden links lead to spam-laden or malicious sites, our website's ranking on search

engines can take a serious hit ( if not already got penalized ) when they are crawled.

3. Take your visitors on unwanted journeys. Hidden links can redirect visitors to your site to sites full of malware.

4. Give hackers control of your site and access to sensitive info. Using hidden links and other malicious code, hackers can take control of your entire site, install malware, or even steal account histories, financial information, and more.

Linking to Pharma websites

In addition to that Pharma websites are considered as Spam websites and no one link back to them because of the negative impact they bring , Google Adword's policy restricts the promotion of healthcare-related content such as the following:

over-the-counter medication prescription medication and information about prescription medication online and offline pharmacies pregnancy and fertility-related products and services medical services and procedures medical devices and tests clinical trial recruitment sexual enhancement treatments

Please read the full detailed post carefully :

https://support.google.com/adwordspolicy/answer/176031?hl=en

Risk of getting De-indexed or dropped from the search engine results or Spam alerting the visitors like:

How to Fix this Hack ?

Once discovered, the code can be taken out of the affected files, although the process can take considerable time and effort. The infection is a bit tricky to remove and if not done properly will keep reappearing

There are a few main areas to look for the infected hacked files the theme, the plugins, the uploads folder, and finally the database.

I suggest you take a look on those helpful resources for more specific details about removing this hack

Helpful resources:

Google's Webmasters help for hacked sites My Site was Hacked FAQ Wordpress Pharma Hack

Understanding and cleaning the Pharma hack on WordPress Pharmaceutical Apocalypse

Please note that this problem is a serious problem and should be fixed AS FAST AS POSSIBLE ..

Thank you for your time