topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday December 6, 2024, 4:27 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Silder Revolution (not Wordfence) Hacked  (Read 9749 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Silder Revolution (not Wordfence) Hacked
« on: December 14, 2014, 11:35 AM »
Thankfully, I don't use Wordfence, but apparently it was hacked.  Apparently several (1000s?) Wordpress sites have been hacked through a vector of an old version of Slider Revolution.  I found out from going to dulfys.net, and looking for updates.

http://www.swtor.com...wthread.php?t=783325

http://www.reddit.co...kru_alerts_at_dulfy/

https://wordpress.or...soaksoakru?replies=5

And the quote for succinctness:

Looking into it, thanks for the headsup.

It is a know issue affecting multiple wordpress sites apparently. Either vulnerable plugin or something in wordpress: https://wordpress.or...soaksoakru?replies=5

Update: We have identified and removed the hacked files. The site should be okay now. May take a day for the warning to clear.

http://gizmodo.com/m...00-000-wo-1671419522

Apparently the attack vector has been identified.  Again, I don't use it... so just posting this as a PSA.
« Last Edit: December 16, 2014, 04:51 PM by wraith808 »

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,193
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #1 on: December 14, 2014, 01:21 PM »
where do these say Wordfence was hacked?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #2 on: December 14, 2014, 03:17 PM »
where do these say Wordfence was hacked?

Look at the wordpress support page.  There are two specific files in the wordfence update archive that propagate the problem. There has been no 'official' statement.  But that would be one hell of a coincidence.

I've had the same issue now (soaksoak.ru, wp 4.0.1, hostgator, only in chrome with phishing and malware protection enabled). I found out where's the problem with Wordfence
https://wordpress.org/plugins/wordfence/

Btw, there was soaksoak.ru error in the chrome console last couple of days, but the sites were working fine, until today.

Anyway, try this first - download fresh wp installation, and check these files, if they're recently changed, I'm guessing you got the same two hacked:
/wp-includes/template-loader.php
/wp-includes/js/swfobject.js

Replace them with the files from the fresh installation.

If it isn't the problem with them, install Wordfence and scan to find the issue.

Now I'm trying to find out how the hell this happened, and I came accross your post. We have a number of client sites, with identical dev versions on the hostgator and live ones on other hosts, live sites are perfectly fine, dev sites got the hack (literally all of them), figure can't be the issue with the sites, so I'm guessing it's something up to hostgator.

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,193
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #3 on: December 14, 2014, 04:04 PM »
He found the problem using Wordfence

I found out where's the problem with Wordfence

If you are referring to

/wp-includes/template-loader.php
/wp-includes/js/swfobject.js

Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #4 on: December 14, 2014, 04:08 PM »
He found the problem using Wordfence

I found out where's the problem with Wordfence

If you are referring to

/wp-includes/template-loader.php
/wp-includes/js/swfobject.js

Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...

How are the updated one's not Wordfence's files if the fix is to re-download the archive?

I'm not sure... I wasn't affected.  I just figured someone might benefit from knowing in the case that their site was displaying the same symptoms.

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,193
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #5 on: December 14, 2014, 04:17 PM »
download fresh wp installation

He downloaded a fresh copy of WordPress to compare his WordPress install. Those two files are core WordPress files.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #6 on: December 14, 2014, 04:32 PM »
well I guess this topic can be deleted.  not being affected, I guess I shouldn't have posted.  :-[

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,193
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #7 on: December 14, 2014, 07:41 PM »
Generally speaking only my topics are delete-able  :P

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #8 on: December 15, 2014, 01:30 AM »

Naw, a lot of work for a proposed "deleted thread".

That's not a good way to do things!


Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,507
    • View Profile
    • Donate to Member
Re: Wordfence Hacked
« Reply #9 on: December 15, 2014, 03:27 AM »
Now this is a good starting point to finally replace WordPress by a static blog generator.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Silder Revolution (not Wordfence) Hacked
« Reply #10 on: December 16, 2014, 04:51 PM »
Updated original post with actual attack vector.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: Silder Revolution (not Wordfence) Hacked
« Reply #11 on: December 17, 2014, 12:58 AM »
The web development company I work for has a client that got hit on Sunday. I discovered it, just as I was about to do some work on his site and couldn't log in.

A little more info on this...

Over 1200 themes sold on ThemeForest were vulnerable to this back in September, around 300 of which were never patched...and the users of the themes that were patched, most did not receive notification that they need to update their themes. (which is how our client got bit)

ThemeForest also gives away a theme or template every month, so any collectors out there most likely has at least 1 vulnerable theme in their collection that can not be updated (freebies don't come with updates).

You can find the list of vulnerable ThemeForest themes, here: http://marketblog.en...ews/affected-themes/

And this is only the ones they know about that had the vulnerable plugin integrated into it. If the designer never mentioned it in the theme's description, then it's most likely not on the list and the vulnerability status would be unknown.

And there could be more premium themes from other designers and theme shops that are vulnerable, as this premium plugin seems to be a very popular one that premium theme designers love integrating into their themes.

And this is why I hate premium themes and plugins. For most of them, there is little to no support for automatic update notification. You can end up with a ticking time bomb and never know it, till it's too late.

If these were a free plugin and themes from the official Wordpress repository, users would have been notified through their admin panel and/or email as soon as an update was available, with most of them being given the opportunity to fix the issue as far back as 3 months ago. And it's dead simple to update if it's from the repository...one click & it's done. With premium themes & plugins from ThemeForest, it might not be so simple, as they are not known for designers that follow best practices when it comes to keeping the theme or plugin separated from the site's content.

And if you get hit with this and have no idea how to clean up your site, it will cost you plenty to have someone do it for you. Securi charges $99 to clean up a site hit by this, and the company I work for charges even more. It could have been really bad for our client, who luckily only had 1 site hit, even though he has used the same vulnerable theme on a bunch of sites.

He found the problem using Wordfence

I found out where's the problem with Wordfence

If you are referring to

/wp-includes/template-loader.php
/wp-includes/js/swfobject.js

Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...

How are the updated one's not Wordfence's files if the fix is to re-download the archive?

I'm not sure... I wasn't affected.  I just figured someone might benefit from knowing in the case that their site was displaying the same symptoms.

Wordfence is a security plugin for Wordpress that can detect this malware. The fix is not to re-download the Wordfence archive...it's to download the Wordpress core files and reinstall it, overwriting the affected files. Then either update or remove the Revolution Slider plugin, or the premium theme that has it integrated into it.

Now this is a good starting point to finally replace WordPress by a static blog generator.

Totally not necessary, when the problem is not Wordpress itself, but an outdated 3rd party add-on. If we applied that kind of logic to OSs, we would have to get rid of them all, as there are exploitable outdated 3rd party apps available for all of them.