Title: Possible Pharma Hack? Last modified: August 20, 2016 --- # Possible Pharma Hack? * [joshvariedce](https://wordpress.org/support/users/joshvariedce/) * (@joshvariedce) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/) * Hi all! * I’m looking for any sort of help I can get at this point. I’ve exhausted many of the options that I’ve found on the net and so far continue coming up short. First of all, the problem: * My website doesn’t have any actual spam on it that I have been able to find, but of course Google has hundreds of returns for posts that feature titles and descriptions for Cialis/Viagra products. You can view examples here: * [https://www.google.com/search?q=site%3Awww.variedcelluloid.net+%28online](https://www.google.com/search?q=site%3Awww.variedcelluloid.net+%28online) |pharmacy|cialis|viagra|xanax%29 * On some posts I make on Facebook, pointing towards specific posts, it also returns with the spam title tags and descriptions. However, the majority of the pages you’ll find in the above google search lead to “Nothing Found” results. The posts do not seem to exist. However, they still show up in my Google Webmaster Tools under duplicate titles/descriptions. Now, there are some legitimate posts listed in those results above, but when you click on the link everything seems to come up fine. * With the pages that return fine but show up with spam titles/descriptions, I have tried fetching them with Googlebot, looking for out-of-the-ordinary scripts or pharma-related keywords, but nothing comes up. * I’ve replaced the WordPress core files in the recent past. I might try it again sometime soon though and maybe look into deleting any unnecessary files/plugins. I recently had WP Super Cache, but deleted it because I had heard it might be a liability. Unfortunately, I’m afraid that if I start disabling plugins it may take weeks to get results. Afterall, nothing actually “shows” on the website, it’s all about the google results. * The site comes up as clean through websites like Sucuri. Sucuri even says “no spam.” * I’ve used grep, looking for any files that feature “base64_decode” and found very little to worry about. The only ones that seemed somewhat worrisome started off with lines that said… * > “Deprecated functions from past WordPress versions. You shouldn’t use these > functions and look for the alternatives instead. The functions will be removed > in a later version.” * Still, I couldn’t find anything online that said these files (all with varying titles) were pharma/spam/malware related. * I’ve looked for the following files but do not appear to have them: * > akismet.old.php > class-akismet.php wp-akismet.php db-akismet.php .akismet.cache. > php .akismet.bak.php db-pagenavi.php class-pagenavi.php ext-podpress.php ext- > tweetmeme.php db-editor.php .tweetmem.old.php *query.js * I’ve found nothing out of the ordinary in any .htaccess files. * In phpmyadmin, I’ve looked under wp_options / option_name for: * > class_generic_support > widget_generic_support fwp wp_check_hash ftp_credentials > rss_7988287cd8f4f531c6b94fbdbc4e1caf * No luck with that. While in phpmyadmin I did a search for “viagra” and came up with 156 results coming from statpress, but these seem to come from URL requests. I’m not sure if that’s something I need to worry about. Any ideas? * I’ve went through the following posts already: * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://blog.aw-snap.info/2011/02/pharmacy-hack.html](http://blog.aw-snap.info/2011/02/pharmacy-hack.html) [http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html](http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html) * I’m just hoping that someone on here has spotted the same situation. I have not seen many discussions amongst others who have had the same “phantom posts” problem that I am confronting. It has tremendously dropped my page rank and I would really like to do something about it. Any help would be greatly appreciated! Viewing 14 replies - 1 through 14 (of 14 total) * [Mark Ratledge](https://wordpress.org/support/users/songdogtech/) * (@songdogtech) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540241) * Did you go though the hack cleaning instructions? Or just read those links? * You’re on GoDaddy; they are constantly hacked. It’s best to find another host. See [Recommended WordPress Web Hosting.](http://wordpress.org/hosting/) * Thread Starter [joshvariedce](https://wordpress.org/support/users/joshvariedce/) * (@joshvariedce) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540245) * Thanks for the reply songdogtech! I went through the links and followed their advice, that’s where I came up with all of the above information (such as looking for those database entries and various files often associated with Pharma). * I’ve thought about moving from GoDaddy, especially since their customer support is awful, but I worry that moving right now wouldn’t do much for me if I make a backup of the database and retain whatever it is that is causing the spam linking. * [Mark Ratledge](https://wordpress.org/support/users/songdogtech/) * (@songdogtech) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540277) * You’re getting hacked because of server vulnerabilities at Godaddy. Moving will make a difference. * Thread Starter [joshvariedce](https://wordpress.org/support/users/joshvariedce/) * (@joshvariedce) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540280) * While I do appreciate that, I’d like to know exactly where this hack comes from/ how to get rid of it before spending extra money and relocating three websites. I haven’t found any replicating files or nasty code in any of the files located on the server, so I’m afraid that if I leave it will simply follow me. Then, if I can’t figure this out on one server, what’s the point of having a hacked wordpress located on a different server? * Have you seen this particular hack before? Will moving to a different host immediately stop it? * [Mark Ratledge](https://wordpress.org/support/users/songdogtech/) * (@songdogtech) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540283) * > I’d like to know exactly where this hack comes * It comes from server vulnerabilities and insecure adjacent accounts, neither of which your have control over. * > so I’m afraid that if I leave it will simply follow me * Have you absolutely cleaned your databases and changed all logins and passwords? Yes? Than the last vulnerability is the webhost. Search these forums for “godaddy hack.” * Thread Starter [joshvariedce](https://wordpress.org/support/users/joshvariedce/) * (@joshvariedce) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540284) * I’m reading about it now, didn’t know that Godaddy had such tremendous issues with WordPress in particular! * What kills me is my inability to find anything in the database/on the server. I would feel so much better about making the jump if I could find something malicious in the database that could be deleted. Then I would know that I could start over fresh. Once I do make the jump I’ll probably have to wait days until Google starts spidering the new server. * Any further database/pharma hack searches/queries/tutorials that you could link? * It’s possible that WordPress is being corrupted by a source within the Godaddy server that isn’t visible in either phpmyadmin or via my FTP? * Thread Starter [joshvariedce](https://wordpress.org/support/users/joshvariedce/) * (@joshvariedce) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540285) * I misread your comment about adjacent accounts, sorry. Interesting. I suppose it’ll be worth the $10 for a month or so on Dreamhost. How long do you think it will take for Google to spider the new server so I can know if the jump has been effective? * [Mark Ratledge](https://wordpress.org/support/users/songdogtech/) * (@songdogtech) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540286) * > didn’t know that Godaddy had such tremendous issues with WordPress in particular! * It’s exactly the other way around. * > I would feel so much better about making the jump if I could find something > malicious in the database that could be deleted. * You’re barking up the wrong tree. * > Once I do make the jump I’ll probably have to wait days until Google starts > spidering the new server. * No. * > Any further database/pharma hack searches/queries/tutorials that you could > link? * Google. * > …WordPress is being corrupted by a source within the Godaddy server that isn’t > visible in either phpmyadmin or via my FTP? * Yes. I’ve said that three times now. * > I suppose it’ll be worth the $10 for a month or so on Dreamhost. * Dreamhost is not one of my recommended hosts, either. * Thread Starter [joshvariedce](https://wordpress.org/support/users/joshvariedce/) * (@joshvariedce) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540287) * Although I detect some hostility, I do appreciate the help that you did provide. * [Mark Ratledge](https://wordpress.org/support/users/songdogtech/) * (@songdogtech) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540313) * It greatly helps matters if you _read_ my responses. * [MaggieMBF](https://wordpress.org/support/users/maggiembf/) * (@maggiembf) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540314) * Having same issue. I found something interesting however. When you past the link * [http://despitediabetes.com/the-one-where-i-go-all-public-service-or-a-plea-during-flu-season-to-the-world/](http://despitediabetes.com/the-one-where-i-go-all-public-service-or-a-plea-during-flu-season-to-the-world/) * and leave off the last “/” the preview draws the correct meta description/info. * When I copy the link and use the full link, including the last “/” I get this: * “Applying for loan lender rather in our finances faster Viagra Online Viagra Online than actually easier for every week.Problems rarely check should consider a brick and Vidrgne Levitra Vidrgne Levitra use it typically costs money.Such funding loans just one lump sum when Cialis 10mg Cialis 10mg gett…” * Interesting * Thread Starter [joshvariedce](https://wordpress.org/support/users/joshvariedce/) * (@joshvariedce) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540317) * @Sondogtech Lol, just trying to converse. My apologies for any misunderstanding. * [@maggie](https://wordpress.org/support/users/maggie/) Have you used Godaddy as well? Have you went through the regular Pharma Hack articles? * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://blog.aw-snap.info/2011/02/pharmacy-hack.html](http://blog.aw-snap.info/2011/02/pharmacy-hack.html) [http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html](http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html) [http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php](http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php) * [Mark Ratledge](https://wordpress.org/support/users/songdogtech/) * (@songdogtech) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540318) * **[@maggiembf](https://wordpress.org/support/users/maggiembf/):** View page source on your site and you will see the spam links. * [MaggieMBF](https://wordpress.org/support/users/maggiembf/) * (@maggiembf) * [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540321) * [@joshvariedce](https://wordpress.org/support/users/joshvariedce/) – yes, GoDaddy via cheap-domain and support there is useless too. I have gone through all the articles yes. Replaced the core WP stuff and thoroughly combed the DB – hubby is a DB guru and this is not my first WP dance. Nothing was found. * [@songdogtech](https://wordpress.org/support/users/songdogtech/) – actually the links do not appear when viewing pagesource. There are no links just the text for Viagra directly under the tag. This shows up and only appear when I’m webmastertools and google is fetching them as a bot. It’s rather strange.

Applying for loan lender rather in our finances faster Viagra Online BLAH BLAB BLUB * I am not trying to hi-jack here; I just wanted to show another oddity related to this as well as a GoDaddy link. I wish I had the cure Viewing 14 replies - 1 through 14 (of 14 total) The topic ‘Possible Pharma Hack?’ is closed to new replies. ## Tags * [pharma hack](https://wordpress.org/support/topic-tag/pharma-hack/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 14 replies * 3 participants * Last reply from: [MaggieMBF](https://wordpress.org/support/users/maggiembf/) * Last activity: [13 years, 3 months ago](https://wordpress.org/support/topic/possible-pharma-hack/#post-3540321) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics