All my sites (6) hacked

you have reason says that the folder / public_html / wp-content / plugins / revslider / temp / update_extract there 2 files to a folder that was created on 12/11/2014 and the 13/12/2014 another thing I do not believe these days to enter license.php found a file

I have rev slider, but it is current.

Was there anything in your /revslider/temp/update_extract/ folder?

two files:

lib.php
revslider.zip

both dated 12/12/2014

And Avast IDs the lib.php as containing malware

are these 2 files download and see

default.zip
https://drive.google.com/file/d/0B_HUWvZR4DVyM25YVDRzNFhQOFE/view?usp=sharing

revslider
https://drive.google.com/folderview?id=0B_HUWvZR4KVyYm4wVFVwNESwX0U&usp=sharing

but I think we are not the problem because I have this other https://rafalfonsofotografo.com.co/ website and does not have the revslider

Here’s what sucuri found for us:

Problem file is here:
wp-content/plugins/revslider/temp/update_extract/lib.php

Issue is this:
php.backdoor.filesman.002.002

Also check the child theme footer.php. You’ll find the hack code at the top as well.

It starts with this:

<?php /* <!– Begin WordPress Cache (DO NOT MODIFY) –> */eval(base64_decode

I currently have over 14 sites affected, it seems a little more complex than the above and rev slider although present on a couple of the sites was up to date and not present on most of the sites affected.

someone found a solution?

Securi and currently looking at all of the sites as it doesn’t seem to have spread to all (51) sites in that server but does not seem to be directly linked to rev slider in this case nor does replacing those two files provide a solution although its the same web address referenced and it presented first one day ago with a missing link to soaksoak.ru

if that’s right apparently yesterday and today and neither is the revslider lib.php nor anything that is apparently

Recently, a client′s site was infected with malware from soaksoak.ru on a WordPress website running version 4.0.1, it seems it was a massive attack and many people is reporting the same security problem over the net. You may receive a warning from your browser.

It seems the attack modifies two WordPress core files:

Template-loader.php (located at: /wp-includes/template-loader.php)
swfobject.js (located at: /wp-includes/js/swfobject.js)

I fixed the problem replacing the modified files, to do so, download a fresh new installation of WordPress at:

https://www.ads-software.com/download/

Upload and replace the modified files.

*Make sure your WordPress site is up to date, update all your plugins too.

Its good idea to install a security plugin like Wordfence or Sucuri scanner

*Important: When the issue is fixed, request a Google review to avoid further browser warnings. Instructions to do this:

https://support.google.com/webmasters/answer/2600725?hl=en

I hope this help you fix the soaksoak.ru WordPress malware.

Having the same issue on some of my sites. I can also confirm that I have sites with this same malware that DO NOT have Rev Slider installed.