All my sites (6) hacked

I just replace those 2 files with the original one from wordpress it’s done. my website is back to normal. thanks @iLabz Dev.

Hi,

I’m seeing a lot of posts where you all advise each other to replace two single files to fix this.

This is not how you should approach such situations, if somebody has gotten in, no matter how, you should be redeploying backups and downloading a fresh copy of the themes and plugins you use (including WordPress core files!), because you most likely won’t know which files have been tempered with.

Also remember that just disabling a plugin that has a security hole is not enough, as the files are still there on your server at that point until you remove the plugin entirely or update it.

I had the same problem in 5 webpages.
I deleted the two infected files and upload the right files.
I updated WP, all plugins and themes and I have installed a plugin for update automatically the plugins in the future.
I had to ask for revision to Google from Webmaster Tools but it was quick.

I have exactly the same issue with Hostgator, its started 7 days ago with one website, and a warning from webmaster tools about Pharma malware.

I rang hostgator and was dircted to the article below and submitted a ticket to their security team

https://support.hostgator.com/articles/pre-sales-policies/security-abuse/my-account-was-hacked

It’s been 7 days since I submitted the ticket, I have had no response, only when I phoned yesterday was I told their team were now working on the issue, but now all 35 websites on the server have been infected.

It started by hijacking the meta descriptions, then progressed to full re-directs, now pumping spam emails out of each website.

I am wondering if it’s a hostgator issue?

hi
every body
i have a lot of website in many hosts
and several are hacked on one host
but another who are on 1and1.com with exactly the same wordpress and same plugins don’t have any problems
and i don’t use revslider
may be some issues on the host

Did anyone else notice that the issue came back today? There’s more to it than just replacing those 2 files. The same 2 files were corrupted today.

There’s more to it than just replacing those 2 files.

Yes, unfortunately, that’s very often the case with a hacked site – as Jan posted in the second post in this thread, you need to go through all of these:

You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

And also make sure you’ve addressed the RevSlider vulnerability –

https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

Hi every one, i have cleaned my clients 10 websites using this [Paywall link redacted]. Follow this, and forget all other things, also remember to change your hosting pswd, ftp and database pswd etc ….. then do these steps as mentioned by Tech Leaks … This mallware has infected more than 100000+ websites and no. is still increasing ……

Regarding 122.155.168.105/ads/inpage/pub/collect.js.
We are infected with this script, too. From first investigation, it seems is using same penetration way as soaksoak.ru, since we found a file in /revslider/temp/update_extract/ that looks to be the one used to hack the sites. The file was created after we cleaned up the soaksoak infection. The code seems to parse all wordpress files and replaces the header closing tag </head> string with a script string calling the above script. Because we found infected files even in themes that are not active, I think is scanning all existing folders it gets access. The call to collect.js returned 404 in our case which made the affected pages to load slow. When we investigated the slowness we saw the call to the script.

This may be a repeated solution but this is what worked for me:

-Replace the full wp-admin and wp-includes with a fresh version. Review your .htaccess in sites as well to see if there is any suspicious text.
–There are two main files that were updated and none of the others were throughout the sites. They were: wp-includes/js/swfobject.js and wp-includes/template-loader.php
-After that, resubmit the sites through Google Webmasters. Be sure that if you have any other WordPress websites in one domain, to do the same throughout all websites. Even to be safe, replace it all on websites that don’t even have a revslider.

This helped me after a day of research and testing on about 8 of my websites that it had happened to. Best of luck and I’ll keep you posted on anything further that happens.

Those two files may be only the tip of the iceberg…

Source:

https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html

This campaign is also making use of a number of new backdoor payloads, some are being injected into images to further assist evasion and others are being used to inject new administrator users into the WordPress installs, giving them even more control long term. Some users are clearing infections and getting reinfected within minutes and the reason is because of the complex nature of the payloads and improper cleaning efforts.

As Techano already linked to, Simply replacing infected files with clean ones is not going to get rid of this hack. If your site is affected by SoakSoak, you may as well consider the entire site compromised. In that case, you should restore the site from a clean backup and then either remove RevSlider or update it with the latest version. Then work on Hardening your WordPress installation.

https://codex.www.ads-software.com/Hardening_WordPress

That’s correct folks, the real issue here is the arsenal of payload being leveraged once inside the environment.

You are suffering reinfections because of the type of backdoors being leveraged, all designed to address half, if not all, the hardening recommendations in that Hardening documentation. Sorry we don’t have better news.

1 – you have to figure out how to stop the malicious request coming to your server. You can do this via modsec if you have a VPS, or leverage a firewall

2 – Once you have stopped the requests, then go about cleaning. If you don’t do it this way, you’ll clean simply to find it reinfected. Even if you remove the revslider or any other vulnerability plugins / themes. Once in your environment, consider it owned.

If you have an environment with multiple sits, consider your entire stack owned. You can’t trust JS, PHP or Images. We’re finding payloads injected into image headers and functioning as backdoors.

All the best

So has anyone found a firewall solution to block the backdoors? I know Sucuri is good, but I can’t afford to put that on 25+ sites.