Other Software > Developer's Corner

Silder Revolution (not Wordfence) Hacked

(1/3) > >>

wraith808:
Thankfully, I don't use Wordfence, but apparently it was hacked.  Apparently several (1000s?) Wordpress sites have been hacked through a vector of an old version of Slider Revolution.  I found out from going to dulfys.net, and looking for updates.

http://www.swtor.com/community/showthread.php?t=783325

http://www.reddit.com/r/swtor/comments/2p8yus/anyone_else_getting_soaksoakru_alerts_at_dulfy/

https://wordpress.org/support/topic/all-my-sites-6-hacked-with-soaksoakru?replies=5

And the quote for succinctness:

Looking into it, thanks for the headsup.

It is a know issue affecting multiple wordpress sites apparently. Either vulnerable plugin or something in wordpress: https://wordpress.org/support/topic/all-my-sites-6-hacked-with-soaksoakru?replies=5

Update: We have identified and removed the hacked files. The site should be okay now. May take a day for the warning to clear.

--- End quote ---

http://gizmodo.com/mysterious-russian-malware-is-infecting-over-100-000-wo-1671419522

Apparently the attack vector has been identified.  Again, I don't use it... so just posting this as a PSA.

rgdot:
where do these say Wordfence was hacked?

wraith808:
where do these say Wordfence was hacked?
-rgdot (December 14, 2014, 01:21 PM)
--- End quote ---

Look at the wordpress support page.  There are two specific files in the wordfence update archive that propagate the problem. There has been no 'official' statement.  But that would be one hell of a coincidence.

I've had the same issue now (soaksoak.ru, wp 4.0.1, hostgator, only in chrome with phishing and malware protection enabled). I found out where's the problem with Wordfence
https://wordpress.org/plugins/wordfence/

Btw, there was soaksoak.ru error in the chrome console last couple of days, but the sites were working fine, until today.

Anyway, try this first - download fresh wp installation, and check these files, if they're recently changed, I'm guessing you got the same two hacked:
/wp-includes/template-loader.php
/wp-includes/js/swfobject.js

Replace them with the files from the fresh installation.

If it isn't the problem with them, install Wordfence and scan to find the issue.

Now I'm trying to find out how the hell this happened, and I came accross your post. We have a number of client sites, with identical dev versions on the hostgator and live ones on other hosts, live sites are perfectly fine, dev sites got the hack (literally all of them), figure can't be the issue with the sites, so I'm guessing it's something up to hostgator.

--- End quote ---

rgdot:
He found the problem using Wordfence

I found out where's the problem with Wordfence
--- End quote ---

If you are referring to

/wp-includes/template-loader.php
/wp-includes/js/swfobject.js

Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...

wraith808:
He found the problem using Wordfence

I found out where's the problem with Wordfence
--- End quote ---

If you are referring to

/wp-includes/template-loader.php
/wp-includes/js/swfobject.js

Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...
-rgdot (December 14, 2014, 04:04 PM)
--- End quote ---

How are the updated one's not Wordfence's files if the fix is to re-download the archive?

I'm not sure... I wasn't affected.  I just figured someone might benefit from knowing in the case that their site was displaying the same symptoms.

Navigation

[0] Message Index

[#] Next page