On December 14, Sucuri wrote about the massive “SoakSoak” malware campaign targeting WordPress sites through a vulnerability in the RevSlider plugin. The plugin is wrapped into many WordPress themes (as disclosed to Sucuri by DreamHost’s Mika Epstein in September). Google blacklisted thousands of sites that they detected as having been infected with the malware. Safe Browsing diagnostics for soaksoak[.]ru indicate that Google has detected SoakSoak infections on more than 17,000 sites. Sucuri reckons over 100K sites were compromised in the campaign’s initial onslaught.
Sucuri has some snippets of bad code and cleanup advice here and here. Webmasters who have already cleaned up should note that the malware has morphed and has been reinfecting sites—more on this in our notes below.
Our testing queue ballooned as a result of the attack, since many webmasters whose sites were infected have been requesting StopBadware reviews. We’ve also seen a number of posts on various forums (WordPress.org forum, Google’s malware and hacked site forum, our own community forum) with questions and advice on removing the malware.
The good news is that webmasters appear to be having success cleaning up SoakSoak infections. The following are some notes from our testing team on what we’re seeing with respect to this campaign.
Initially, we saw a lot of obfuscated code on .js pages. For example, we found the following on pages such as caption.js:
Right now, we’re seeing a lot of false “collect.js” scripts inserted into homepages, either right at the beginning of a <script> tag accompanied by other legitimate js files, or more conspicuously right after the </head> tag.
The script itself will not deliver to our testers, but it always runs from one of a few IPs, most commonly 18.104.22.168 or 22.214.171.124. The former has been replacing the latter during recent tests, suggesting that the IP itself is periodically changing.
The code is innocuous-looking other than its placement and the naked IP. Some examples:
Deleting this code gets rid of the infection (though notably not any backdoors or vulnerabilities that allowed the compromise to begin with), and webmasters do seem to be getting rid of it.
A note on cleanup
If your site has been affected, note Sucuri's warning:
We are hearing a lot of recommendations online to just replace the swfobject.js and template-loader.php files to remove the infection...It does remove the infection, but does not address the left over backdoors and initial entry points.
In this case, the infection vector is the RevSlider plugin. In addition to getting rid of the bad code (but please don't delete files at random!), you'll need to update the plugin and any themes you're using that have RevSlider wrapped into them. Ask your hosting provider and/or a professional website malware removal specialist for help if you're unsure about the files you're modifying. You can always ask for help on free forums like the WordPress.org forum, StopBadware's community forum, and Google's malware and hacked sites forum.