DonationCoder.com Forum
Other Software => Developer's Corner => Topic started by: wraith808 on December 14, 2014, 11:35 AM
-
Thankfully, I don't use Wordfence, but apparently it was hacked. Apparently several (1000s?) Wordpress sites have been hacked through a vector of an old version of Slider Revolution. I found out from going to dulfys.net, and looking for updates.
http://www.swtor.com/community/showthread.php?t=783325
http://www.reddit.com/r/swtor/comments/2p8yus/anyone_else_getting_soaksoakru_alerts_at_dulfy/
https://wordpress.org/support/topic/all-my-sites-6-hacked-with-soaksoakru?replies=5
And the quote for succinctness:
Looking into it, thanks for the headsup.
It is a know issue affecting multiple wordpress sites apparently. Either vulnerable plugin or something in wordpress: https://wordpress.org/support/topic/all-my-sites-6-hacked-with-soaksoakru?replies=5
Update: We have identified and removed the hacked files. The site should be okay now. May take a day for the warning to clear.
http://gizmodo.com/mysterious-russian-malware-is-infecting-over-100-000-wo-1671419522
Apparently the attack vector has been identified. Again, I don't use it... so just posting this as a PSA.
-
where do these say Wordfence was hacked?
-
where do these say Wordfence was hacked?
-rgdot
Look at the wordpress support page. There are two specific files in the wordfence update archive that propagate the problem. There has been no 'official' statement. But that would be one hell of a coincidence.
I've had the same issue now (soaksoak.ru, wp 4.0.1, hostgator, only in chrome with phishing and malware protection enabled). I found out where's the problem with Wordfence
https://wordpress.org/plugins/wordfence/
Btw, there was soaksoak.ru error in the chrome console last couple of days, but the sites were working fine, until today.
Anyway, try this first - download fresh wp installation, and check these files, if they're recently changed, I'm guessing you got the same two hacked:
/wp-includes/template-loader.php
/wp-includes/js/swfobject.js
Replace them with the files from the fresh installation.
If it isn't the problem with them, install Wordfence and scan to find the issue.
Now I'm trying to find out how the hell this happened, and I came accross your post. We have a number of client sites, with identical dev versions on the hostgator and live ones on other hosts, live sites are perfectly fine, dev sites got the hack (literally all of them), figure can't be the issue with the sites, so I'm guessing it's something up to hostgator.
-
He found the problem using Wordfence
I found out where's the problem with Wordfence
If you are referring to
/wp-includes/template-loader.php
/wp-includes/js/swfobject.js
Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...
-
He found the problem using Wordfence
I found out where's the problem with Wordfence
If you are referring to
/wp-includes/template-loader.php
/wp-includes/js/swfobject.js
Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...
-rgdot
How are the updated one's not Wordfence's files if the fix is to re-download the archive?
I'm not sure... I wasn't affected. I just figured someone might benefit from knowing in the case that their site was displaying the same symptoms.
-
download fresh wp installation
He downloaded a fresh copy of WordPress to compare his WordPress install. Those two files are core WordPress files.
-
well I guess this topic can be deleted. not being affected, I guess I shouldn't have posted. :-[
-
Generally speaking only my topics are delete-able :P
-
Naw, a lot of work for a proposed "deleted thread".
That's not a good way to do things!
-
Now this is a good starting point to finally replace WordPress by a static blog generator.
-
Updated original post with actual attack vector.
-
The web development company I work for has a client that got hit on Sunday. I discovered it, just as I was about to do some work on his site and couldn't log in.
A little more info on this...
Over 1200 themes sold on ThemeForest were vulnerable to this back in September, around 300 of which were never patched...and the users of the themes that were patched, most did not receive notification that they need to update their themes. (which is how our client got bit)
ThemeForest also gives away a theme or template every month, so any collectors out there most likely has at least 1 vulnerable theme in their collection that can not be updated (freebies don't come with updates).
You can find the list of vulnerable ThemeForest themes, here: http://marketblog.envato.com/news/affected-themes/
And this is only the ones they know about that had the vulnerable plugin integrated into it. If the designer never mentioned it in the theme's description, then it's most likely not on the list and the vulnerability status would be unknown.
And there could be more premium themes from other designers and theme shops that are vulnerable, as this premium plugin seems to be a very popular one that premium theme designers love integrating into their themes.
And this is why I hate premium themes and plugins. For most of them, there is little to no support for automatic update notification. You can end up with a ticking time bomb and never know it, till it's too late.
If these were a free plugin and themes from the official Wordpress repository, users would have been notified through their admin panel and/or email as soon as an update was available, with most of them being given the opportunity to fix the issue as far back as 3 months ago. And it's dead simple to update if it's from the repository...one click & it's done. With premium themes & plugins from ThemeForest, it might not be so simple, as they are not known for designers that follow best practices when it comes to keeping the theme or plugin separated from the site's content.
And if you get hit with this and have no idea how to clean up your site, it will cost you plenty to have someone do it for you. Securi charges $99 to clean up a site hit by this, and the company I work for charges even more. It could have been really bad for our client, who luckily only had 1 site hit, even though he has used the same vulnerable theme on a bunch of sites.
He found the problem using Wordfence
I found out where's the problem with Wordfence
If you are referring to
/wp-includes/template-loader.php
/wp-includes/js/swfobject.js
Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...
-rgdot
How are the updated one's not Wordfence's files if the fix is to re-download the archive?
I'm not sure... I wasn't affected. I just figured someone might benefit from knowing in the case that their site was displaying the same symptoms.
-wraith808
Wordfence is a security plugin for Wordpress that can detect this malware. The fix is not to re-download the Wordfence archive...it's to download the Wordpress core files and reinstall it, overwriting the affected files. Then either update or remove the Revolution Slider plugin, or the premium theme that has it integrated into it.
Now this is a good starting point to finally replace WordPress by a static blog generator.
-Tuxman
Totally not necessary, when the problem is not Wordpress itself, but an outdated 3rd party add-on. If we applied that kind of logic to OSs, we would have to get rid of them all, as there are exploitable outdated 3rd party apps available for all of them.