Hacked? Weird Greek Text & Code Hidden in Your WordPress Database
Did you recently check your WordPress database or source code and find strange, unreadable blocks of code? Perhaps you noticed your website ranking for keywords related to “Greek Pharmacy” or “andrikofarmakeio”?
If you found a script containing the ID M6bMm64IekltUmnGh3vrm9 or a function called oeYR5CtKOu7Yvb, your site has been compromised by a specific strain of SEO Spam Malware.
You are likely asking: What is this? Why is it there? And how do I get it out?
First: Verify This Is Your Infection
Clients often find us after seeing this specific block of code inside their wp_posts table (often appearing right after legitimate text):
<div id="M6bMm64IekltUmnGh3vrm9"><p><a href="https://andrikofarmakeio.com/">κοιτάξτε εδώ</a></p></div>
It is usually followed by a script that looks like this:
script type="text/javascript">function oeYR5CtKOu7Yvb(){var mbO=document.getElementsByTagName...
If this matches what you see, stop editing immediately and read below.
What Is This Doing to My Business?
This is known as the “Greek Pharma Hack.”
Hackers haven’t just “broken” your site; they are parasitic. They are using your website’s good reputation to sell illicit products for a third party.
-
They are stealing your Google Authority: The code creates a “hidden link” to a Greek pharmacy website. The code uses a trick (
top:-152413851px) to push the link 152 million pixels off-screen. You can’t see it, but Google can. -
You face a Google Ban: Google’s bots are smart. They know this link is hidden (a technique called “Cloaking”). When they detect it, they will flag your site as “Deceptive.” Your legitimate pages will be de-indexed, and your traffic will crash.
-
It spreads automatically: This isn’t just in one post. This malware usually injects itself into hundreds or thousands of your database rows simultaneously.
Why You Can’t Just “Delete” It
If you are a business owner attempting to fix this yourself via phpMyAdmin, be very careful.
The malware inserts itself into the middle of your actual content (your blog posts, page text, and product descriptions).
-
The Risk: If you run a generic “Delete” command, you risk corrupting the formatting of your entire website, breaking images, and losing your original text.
-
The Re-infection: Deleting the code handles the symptom, not the cause. The hacker likely entered through a vulnerability in an outdated plugin or a weak password. If you delete the code without closing the door, they will simply re-infect you (often within hours).
How We Clean This For You
We specialize in removing SEO Spam Injections like the andrikofarmakeio variant.
Instead of risking your data, we perform a forensic cleanup:
-
Database Scrubbing: We use precise Regular Expressions (Regex) to surgically remove only the malicious ID
M6bMm64IekltUmnGh3vrm9and its associated script, leaving your legitimate content 100% intact. -
Backdoor Removal: We hunt down the “shell” or rogue file the hackers are using to access your server.
-
Google Restoration: Once clean, we help you submit a “Reconsideration Request” to Google to get your rankings back on track.
Don’t let hackers siphon off your traffic.
If you see this code, contact us immediately for a specialized cleanup.
[ > Get My Site Cleaned Now ]
