Looks like there’s an exploit going around that appears to be similar in nature to the TimThumb vulnerability. If you noticed a bunch of “Cannot Redeclare” errors when browsing your website recently with eval code, chances are you’ve become a victim of this attack. Jeff Starr of DigWp.com and co-author of the book, Digging Into WordPress has laid out a series of steps on how you or consultants can clean up the mess that’s left behind. It’s also worth noting the following forum thread on the WordPress.org support forums where a number of people have been trying to investigate how this attack works.
By Jeffro on November 29, 2011
By Jeffro on April 16, 2010
Chris Pearson who’s personal site recently became infected with the Pharma Hack which took advantage of his sites popularity and back-links to cloak spam links in Google results has published an in depth piece on how to diagnose and fix the problem. Chris goes into detail into what the hack does and how to use tools such as php My Admin and FTP to locate if you’ve been infected or not. According to his analysis, this hack is pretty clever in the way it accomplishes its goals without being blunt about it. There is no telling how long the spam links would have existed had it not been for Pearson fans letting him know about it. Unfortunately, Chris Pearson has no idea how the hacked files got into his account.
At this time, there is still one huge unanswered question about the WordPress pharma hack: How in the hell did the hackers manage to get into your server in the first place? I’ve received reports of the pharma hack on a variety of different Web hosts and server configurations, so it’s clear that the main vulnerability extends beyond a single host/server platform. So far, the only common denominator between the sites I’ve examined is that they’re all running WordPress, but even this fact doesn’t mean that WordPress itself is the problem.
There is currently an ongoing thread in the Tavern forum where we are trying to piece together the various bits of information to locate a series of consistencies but with reports being spread out amongst different hosts and environments, the one commonality between them all is the use of WordPress. On the surface, this has everyone thinking there is some inherent flaw in the WordPress software causing this attack. Until deemed official, this is not the case, it’s just a similarity. If you have been hit with this attack, you are encouraged to participate in the thread and explain the circumstances that occurred in your case.
Kudos to Chris Pearson for diving deep into the issue and then providing a fix that hopefully, solves the problem for other people in the community.