All my sites (6) hacked

Hi Folks

Here is an update on what the SoakSoak Campaign is doing: https://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html

Hope this helps

@chadlamson: You sure? Check if you do not have other sites in the same account with it.

All sites we analyzed so far had revslider.

thanks,

I don’t have rev slider.. but still facing the same issue..

wp-includes/template-loader.php & wp-includes/js/swfobject.js

were modified. I restored them using the installation files.. But it doesn’t seem to help

@daniel I do have other sites in the same hosting account that have Rev Slider, but even the sites that do not have Rev Slider, have the infection.

Another thing that is strange… I have WordPress installs on sites that do not have a domain pointing at them (I have to change my host file on my local machine to view them) and even these sites are infected. It seems it is able to move from site to site on a hosting account.

it seems that if the solution but google has us blacklisted I have multiple domains and clearly that’s the error template-Loader.php and swfobject.js if you have not changed the error will observe the bottom of the these browser to redirect to soaksoak.ru I corrected and now no longer redirected to the web after it touches ship by google webmaster tool to check my website that is already clean

OK, rev slider was on one of the sites but it has spread through an entire directory, modified date on the files is 13/12/2014. Removing just those files within the desired site does not resolve but I assume this is nested somewhere, will need Securi to find the source PLEASE! ??

13/12/2014 yes me too

A lot of these reports sound like what we saw as well. For those of you that don’t have revslider on the site, realize that once a hacker has access to a standard hosting account they can access every single site under the account. A better setup is to have these isolated but that’s not how it is often configured.

Also, revslider may exist inside a theme directory. You need to either really dig through things or run a search for rev slider (if you have shell access,
find . -name “revslider” -type d
when in the site’s wp-content directory).

That all assumes revslider is really the root cause, but we’ve looked closely through the logs for one site and I’m pretty sure it was in that instance.

In addition to the other files mentioned in this thread, please check your /wp-content/plugins/cached_data/ folder. I haven’t personally seen a huge number of these attacks, so I don’t know how common it is. But we have seen that folder created, with a back door, mass mailing script, and some other junk in it that needs to be removed.

So I am going through each of my sites and reinstalling WordPress, and making sure all plugins are up to date. Once I do this, do the sites that got blacklisted need to be submitted to Google to take them off of the list?

I’ve been taken off the Google blacklist now after submitting a review with the changes I made earlier…

• Replaced wp-includes/template-loader.php and wp-includes/js/swfobject.js
• Manually updated Revolution Slider (it was built into the theme)
• Updated Askimet (it was the only out of date plugin listed)

Hopefully someone can find the attack vector…

hi my 6 sites are infected with the swfobject.js .. A code is automaically injected in swfobject.js file .. Any solution ? … I think its really some bug in WordPress…

… I think its really some bug in WordPress…

It does not appear to be, give this a read for why that is.

Malware is still there after replacing
wp-includes/template-loader.php & wp-includes/js/swfobject.js

I restored them using the installation files but it doesn’t seem to help.

From what I can see, this is probably the attack vector that was used.

So I have gone through and made sure that all plugins are up to date, and reinstalled WordPress on all of my sites. I have submitted a request to Google to remove the blacklist, and they have started doing so.

One problem though. I have started finding references to the link below in various plugins on the sites that were infected. One was in a file from Gravity Forms and another was in LayerSlider. Here is the link:

122.155.168.105/ads/inpage/pub/collect.js

This is causing errors on the sites, which is how I found it. Anyone else running into this?