SoakSoak malware: Infection hallmarks and removal resources

Posted on December 24, 2014 - 14:38 by ccondon

On December 14, Sucuri wrote about the massive “SoakSoak” malware campaign targeting WordPress sites through a vulnerability in the RevSlider plugin. The plugin is wrapped into many WordPress themes (as disclosed to Sucuri by DreamHost’s Mika Epstein in September). Google blacklisted thousands of sites that they detected as having been infected with the malware. Safe Browsing diagnostics for soaksoak[.]ru indicate that Google has detected SoakSoak infections on more than 17,000 sites. Sucuri reckons over 100K sites were compromised in the campaign’s initial onslaught.

Sucuri has some snippets of bad code and cleanup advice here and here. Webmasters who have already cleaned up should note that the malware has morphed and has been reinfecting sites—more on this in our notes below.  

Our testing queue ballooned as a result of the attack, since many webmasters whose sites were infected have been requesting StopBadware reviews. We’ve also seen a number of posts on various forums (WordPress.org forum, Google’s malware and hacked site forum, our own community forum) with questions and advice on removing the malware.

The good news is that webmasters appear to be having success cleaning up SoakSoak infections. The following are some notes from our testing team on what we’re seeing with respect to this campaign. 

Obfuscated JavaScript

Initially, we saw a lot of obfuscated code on .js pages. For example, we found the following on pages such as caption.js:

obfuscated JavaScript SoakSoak malware


Right now, we’re seeing a lot of false “collect.js” scripts inserted into homepages, either right at the beginning of a <script> tag accompanied by other legitimate js files, or more conspicuously right after the </head> tag. 

The script itself will not deliver to our testers, but it always runs from one of a few IPs, most commonly or The former has been replacing the latter during recent tests, suggesting that the IP itself is periodically changing. 

The code is innocuous-looking other than its placement and the naked IP. Some examples: 

Bad script SoakSoak malware campaign

Another bad script from SoakSoak

Deleting this code gets rid of the infection (though notably not any backdoors or vulnerabilities that allowed the compromise to begin with), and webmasters do seem to be getting rid of it. 

A note on cleanup

If your site has been affected, note Sucuri's warning:

We are hearing a lot of recommendations online to just replace the swfobject.js and template-loader.php files to remove the infection...It does remove the infection, but does not address the left over backdoors and initial entry points.

In this case, the infection vector is the RevSlider plugin. In addition to getting rid of the bad code (but please don't delete files at random!), you'll need to update the plugin and any themes you're using that have RevSlider wrapped into them. Ask your hosting provider and/or a professional website malware removal specialist for help if you're unsure about the files you're modifying. You can always ask for help on free forums like the WordPress.org forum, StopBadware's community forum, and Google's malware and hacked sites forum

Huge brute force attack targets popular blogging platforms worldwide

Posted on April 13, 2013 - 12:03 by ccondon

Over the past 48 hours or so, a large, highly-distributed attack has been hitting WordPress and Joomla sites worldwide. Hosting providers have noted a significant uptick in the number of login attempts, particularly for WordPress (e.g., wp-login.php). The attacks are reportedly coming from a botnet using more than 90,000 servers. Hosting providers around the world have noted the prevalence of the attacks and detailed some security measures they’re taking, along with measures they encourage customers to take.

This, as many others have observed, is a brute force attack. That means: Attackers hit access points with thousands upon thousands of common username and password combinations in quick succession. In this case, the usernames that hosts/security experts are seeing are admin, Admin, administrator, test, and root. They are tried in combination with dictionary words and common passwords that everyone’s been warning about for years (e.g., 12345678, password, qwerty, monkey, etc). Sites that are hacked as a result of the brute force attack are infected with malware, laced with a backdoor that allows attackers to maintain access, and conscripted into the botnet perpetrating the attacks.

Security blogger Brian Krebs has a good summary of the attacks and a sample list of the username-password combinations being used, courtesy of security company (and StopBadware Partner) Sucuri. Sucuri also has an excellent article on the attacks and the data they’ve collected.

If you’re the owner of a WordPress or Joomla site (or any other site, for that matter):

  • Make sure you’re using a strong password. This means long, it means complex, it means avoid those dictionary words. 
  • Not using a strong password? Log into your site and change it. Right now.
  • Get rid of that “admin” or other default username. By keeping it around, you’re making half of your username-password combo easy to guess. Not sure how to delete the admin user? Here’s an easy how-to.
  • Use two-factor authentication. You can find directions for doing this on WordPress.com here.  If you’re using WordPress.org, there are a number of third-party plugins that allow you to do this.
  • If you suspect you’ve been infected, get in touch with your hosting provider. Keep in mind that many hosts are dealing with the fallout from this attack and may be strapped for resources. You may also have trouble logging into your site because of the sheer volume of the attack.

The two hosting providers mentioned in the first paragraph, InMotion and Melbourne Hosting, have good information on the attacks and how to protect yourself. Our partners Sucuri, Sophos, and CloudFlare have also been covering the attacks and publishing useful data for site owners and security companies.

[More information on protecting your website or your WordPress site]

UPDATE (15 April 2013): One of our BadwareBusters.org volunteers contacted us with some useful information:

While many of the suggestions here are good, changing the username isn't slowing down the attacks. On our honeypots we've been seeing this:


This enumerates the userID's. If you've changed the admin username, the first one will return:

Sorry, but you are looking for something that isn’t here.

However, if you keep incrementing the last number, you'll eventually see this in your browser address bar:


Now the hacker knows the userID and username. They find this, add their dictionary of passwords and continue right along. Strong passwords and two-factor authentication seem to be the best. Captcha is an option as well, although we still see hackers trying various schemes to crack Captcha.

(Thanks to Thomas Raef of We Watch Your Website for the info.)

WordPress still a common entry point for bad code

The popular blogging platform WordPress, and its multi-user counterpart WordPress MU, continue to be common entry points for badware. In a typical scenario, a security vulnerability is discovered and patched, but many website owners running WordPress do not install the updated version of the WP software, leaving their sites open to the exploits that inevitably follow. Two examples have come up in the past week over on BadwareBusters.org. WordPress plug-ins are sometimes vulnerable, as well.
A new vulnerability was announced this week by Corelabs. Reportedly, WordPress 2.8.1 and WordPress MU 2.8.1 are safe, while prior versions are at risk.
What can the community collectively due to help with this ongoing pattern?
Site owners can keep up with updates through the WordPress blog or through WordPress's admin interface, and install the updates as quickly as possible. Similarly, the admin interface shows updates for plug-ins, which should also be installed quickly when the updates are security related.
WordPress and plug-in developers can ensure that security is a high priority in developing code and can make the upgrade process as seamless as possible for site owners. Providing a dedicated subscription e-mail list exclusively for notifying users of new security updates would also be helpful.
Web hosting companies that offer simple installation of WordPress can notify their customers when a new version is available and encourage them to update, ideally through a process as simple as the initial installation. Even hosting companies that do not offer installation may consider scanning their systems for outdated WordPress installs and notifying their customers of the need to update.
With a combined effort, we should be able to help WordPress to remain a popular blogging system while making it a less popular malware distribution system.