With all the news about companies like Sony being hacked, you may have missed another huge piece of news. Recently, over 11,000 domains were blocked on Google through blacklisting due to the recent malware attack by Soaksoak.ru’s.
The Plugin Problem
Sucuri.net, a website security firm, reported the malware, and Google’s response, after its analysis showed “impacts in the order of 100’s of thousands of WordPress specific websites.” The company conducted some initial research and quickly isolated the problem. They identified that sites making use of the Slider Revolution plugin were being targeted. They suggested that sites using the plugin upgrade to the latest versions. They were also advised to install sufficient security measures and backup tools in case of malware affecting their sites. That said, the upgrade process is not straightforward as the plugin is a premium one, so even after managing to perform an upgrade, webmasters may still be hosting compromised files on their websites.
Comments from the Sucuri CTO
Daniel Cid, CTO of Sucuri, published a blog post which outlined the attack sequence and provided greater detail with regard to the attack. He outlined it’s execution, which seemed to be originating from the Russian website SoakSoak[dot]ru . Whether the site was specifically created with the purpose of distributing the malware was uncertain. Attempts to contact the site owners proved unsuccessful. Cid went on to say that the campaign used backdoor payloads which were previously unseen and furthered infiltration by being added with images and enabled the addition of administrator users to the WordPress installs. Securi.net went on to say users are warned that removing the compromised files – swfobject.js and template-loader.php – will not solve the problem. WordPress is in an unfortunate position and are urging the developers to release a fix.
Who is Affected?
The vulnerability only seems to be affecting self-hosted WordPress websites, so if you’re a blogger on WordPress.com, you don’t have to worry. If you’re one of the self-hosted WordPress users affected by this, Sucuri.net currently has a tool to help check if your site is infected. Securing your WordPress installation should be a top priority and it’s definitely worth shelling out a few bucks on a decent malware scanner and backup solution (like SiteLock!). After all, it’s cheaper to prevent an attack and have a backup in place to restore your site, than it is to rebuild it or lose a lot of money due to a compromised site. And as always, if you have any questions feel free to reach out to us at A Small Orange! We're more than happy to help!