Some 100,000 or more WordPress sites infected by mysterious malware
The campaign has prompted Google to flag more than 11,000 domains as malicious, but many more sites have been detected as compromised, according to a blog post published Sunday by Sucuri, a firm that helps website operators secure their servers. Researchers have yet to confirm the cause of the infection, but they suspect it’s related to a vulnerability in Slider Revolution, a WordPress plugin, that was disclosed in early September. Update: In a new blog post published after Ars went live with this brief, Sucuri says it has confirmed the so-called “RevSlider” vulnerability is the culprit.
The in-the-wild attack observed by Sucuri causes infected sites to load highly obfuscated attack code on every webpage that includes the following:
The code causes pages to download the malicious payload from hxxp://soaksoak.ru/xteas/code. Judging from some of the reader comments, some administrators were surprised to find that the sites they oversee were infected. Sucuri’s free site check scanner will detect sites that are actively compromised. Disinfection involves removing malicious code added to a script located at wp-includes/template-loader.php. WordPress admins who use the Slider Revolution plugin should also ensure it’s up to date, but Sucuri noted the difficulty of getting all websites to universally apply the fix.
“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner,” Sucuri stated in the latest post. “Some website owners don’t even know they have it as it’s been packaged and bundled into their themes. We’re currently remediating thousands of sites and when engaging with our clients many had no idea the plugin was even within their environment.”
The update also noted the difficulty of cleaning infected sites. It stated:
We are hearing a lot of recommendations online to just replace the swfobject.js and template-loader.php files to remove the infection.
It does removes the infection, but does not address the left over backdoors and initial entry points. The website will be reinfected quickly. If you are affected by this, expect to find yourself riddled with backdoors and infections, you have to not only clean, but also stop all malicious attacks. You can stop malicious attacks through the use of a Website Firewall, ours or someone else, just use a Firewall, a real one preferably.